Unsalted hashes endanger user's privacy
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Libravatar (obsolete) |
Triaged
|
Undecided
|
Unassigned | ||
Bug Description
Exposing hashes of user's emails endangers privacy of user's email address, and possibly user's true identity. Even if user has not set up his avatar. This violates many site's privacy policies, forcing site maintainers to disable avatars completely (or make them opt-in for each individual user).
Examples:
http://
http://
http://
http://
Using SHA256 is better in terms of collision avoidance, but is also vulnerable to dictionary and rainbow table attacks (albeit slightly more expensive).
Salting the hash would solve the problem, but would require salt to remain a shared secret between avatar provider and web application showing the avatars. This means each web application should register with each avatar provider and keep a shared secret salt and use it when showing images.
Not sure yet how this can work with federated providers though.
| Štefan Baebler (stefanba) wrote | #1 |
| Changed in libravatar: | |
| status: | New → Triaged |
| tags: | added: privacy |
| strk (strk) wrote | #2 |
Salting the hash per web application would allow user to see which individual applications are using his avatar photos, and possibly give him control over which of his avatar photo he wants to show in which web application, while still using the same email address in all web applications.