1. 36
  1.  

  2. 12

    On this topic, I recently submitted a pull request to replace lobsters little avatars with libravatar, and while I was at it, also implemented it for Emacs (ergo it will be used by Magit and Gnus), where it will be used as default after version 28.

    Those who knew about the service, but didn’t pay too much attention (like me) might have been surprised to hear that they nearly shut down two years ago, but were then revived and revamped by groups using them.

    1. 3

      I don’t get it. How is it federated if it required a central account?

      Something like WebFinger could be extended so include avatars. That way the information is loaded from the user’s website.

      1. 18

        You’re not. If you’re email address is someone@example.com, a libravatar library will look for a specific DNS record associated with example.com to find out if this domain has it’s own libravatar server. If not, it will default to the central account, that in turn defaults to gravatar, if the user isn’t registered there. The specifics are explained on the wiki, under “Federated servers”.

      2. 1

        What are the privacy implications of this? I avoid Gravatar for two reasons:

        1. I don’t really understand the value they offer. Why is it better for me to specify a central location for my avatar rather than upload it to each site I use? Is it really just so people can easily globally change their avatar rapidly?
        2. The entire purpose from Gravatar’s perspective appears to be to track people across the Internet, by having them opt into a service that explicitly links all of their accounts in various places (lobste.rs downloads the avatar once, other sites fetch it from the remote site every time, leaking a load of information to Gravatar).

        This protocol appears to explicitly provide a tight binding between users’ email addresses and avatars. It doesn’t have the centralised pre-attacked design that Gravatar has, but it does make it relatively easy to link users to other accounts. Email addresses are not normally private identifiers (and spammers will happily sell you a list of known-working addresses), so an attacker can quite easily find the set of users on a server and their avatars, download them, and then cross-reference them against the images that a user has provided. For libste.rs, someone just needs to dump the /avatars/{username}-100.png and match those against people of interest. This seems like something that would be quite easy for a simple web crawler to do. I’m using my real name here (though, I suppose, you can’t tell that I’m not using someone else’s real name), but if you want any kind of anonymity or pseudonymity then this seems to break it. Unless you sign up to each site with a different throw-away email address and use a different avatar for each, but then you may as well just upload an avatar (related: given that lobste.rs appears to download the avatars from Gravatar, why not just let people who want avatars upload them? Of just let you specify a URL containing your avatar that it will poll periodically?)

        1. 1

          Why is it better for me to specify a central location for my avatar rather than upload it to each site I use?

          I think it’s easier for website developers (the don’t need to implement a separate avatar service, even if that isn’t too difficult) and it’s easier for users (they don’t need to setup an avatar, but aren’t faceless without one, but also the point that you mention). Another place where Gravatar-like services help is in Email clients, where there is no real default to transfer an avatar, or at least non that is really being used.

          The entire purpose from Gravatar’s perspective appears to be to track people across the Internet, by having them opt into a service that explicitly links all of their accounts in various places.

          That’s one of the reasons I deleted my Gravatar account, but to be fair it’s not as bad as other services (like the facebook “like button”).

          but it does make it relatively easy to link users to other accounts

          I think that this is a problem by design. If you want to have a “globally recognizable avatar”, you probably aren’t going to have a different avatar on each site.

          I’m not sure if I’m misunderstanding your line of attack, but since both Gravatar and Libravatar use a hash value (md5 or sha1) of the users email address, you don’t directly get access to their email. Sure, it’s not fool-proof, but it would make it harder than just to write a simple web scraper.

          1. 2

            Another place where Gravatar-like services help is in Email clients, where there is no real default to transfer an avatar, or at least non that is really being used.

            This is a pretty horrible use case. With Gravatar, an email client that does this is giving Gravatar a complete list of your contacts (at least, the ones with email accounts, though given it’s an unsalted hash it’s feasible for Gravatar to find a lot of the others if they care). Depending on the caching that your client does, it may even leak frequency of communication and a whole bunch of other metadata.

            This is much worse with libravatar than Gravatar. It makes it trivial for spammers to detect if you’ve actually received the email - just send you an email from some_fake_new_address@example.com and if their mail client tries to fetch the Libravatar-advertised file, you have a live address. For extra fun, always 404 so you can see how often they try to fetch it and get some idea of whether it’s getting past spam filters.

            From a usability perspective, this really only makes sense if you have <20 friends. That’s around the cross-over point where humans are faster going from word to identity than from small picture to identity.

            I’m not sure if I’m misunderstanding your line of attack, but since both Gravatar and Libravatar use a hash value (md5 or sha1) of the users email address, you don’t directly get access to their email. Sure, it’s not fool-proof, but it would make it harder than just to write a simple web scraper.

            It depends a bit on how long your email address us. Creating a complete rainbow table for up-to-8-character identifiers for MD5 or SHA1 takes a few hours on a vaguely modern GPU. Let’s say I want to find all of the users with example.com email addresses. If you are zge@example.com and I know that your avatar name has the MD5 hash 2a51fd8a8ea9d7f4bdeb3dd23f5a3d35, then I look you up in the rainbow table that cost me a few cents of electricity to compute and, sure enough, there is an entry, zge (implicitly @example.com) maps to 2a51fd8a8ea9d7f4bdeb3dd23f5a3d35. Now I know your email address. Systematically uncovering all users in a domain who have usernames <10 characters in their email address is computationally feasible for a bored individual with a vaguely recent computer.

            The service itself acts as an oracle. I can query example.com to find your Libravatar service and then if I get a file when I request 2a51fd8a8ea9d7f4bdeb3dd23f5a3d35.png, then I know that the avatar I found is the avatar of zge@example.com (though I don’t know if someone has copied your avatar). If I assume that you are zge@{something}, then I can very cheaply calculate zge@{every domain known to host an email server}, query each one, and see if they reply with your avatar. I’m only doing a handful of queries for each server, so I’m unlikely to even hit rate limiting, especially if I do it from a botnet.

            The stated aims of Libravatar don’t include any claims about privacy and they only talk about security in the context of their code. It’s a shame that a new service like this was created without thinking about privacy at all.

            If you only want this to work with sites that you’ve signed up to, it would be fairly easy to add a per-site nonce, so instead of asking for md5(zge@example.com).png, the site would ask for md5(lobste.rs + {one-off random identifier} + zge@example.com).png. That would make it harder for a third party to use the service as an oracle. Or, ideally, use a hash that isn’t designed to be fast to compute.

            I haven’t spent very long thinking about this, but it sounds as if there are a lot of potential information leaks.

        2. 1

          I was going to suggest it to Lobste.rs but I thought they obviously know about this and now I see this here. Petition to make Lobste.rs use Libravatar instead Gravatar.

          1. 1

            Well there is the pull request I mentioned above.

          2. 1

            I signed up for Gravatar years ago and do update my avatar every once in a blue moon. It can be a little unnerving seeing really old stuff online with new avatars. I wish you could globally set a new avatar, but only for anything posted after the new avatar was set.

            1. 0

              Really really cool 👍