Implementing Gravatar Properly

The other day a good friend of mine suggested I implement Gravatar on my website. So I started checking how it works and found it was incredibly easy. All I'd have to do use put an img element with a link to an md5 hash of the commenter's email. Like this: <img src="" />

MD5's can be Sensitive Information

The commenter's email hash is visible to all visitors, robots/spiders, etc etc. Gravatar says it's okay because you can't crack the MD5 hash to retrieve the email. Indeed, for that you would probably need a database with emails and their MD5 hash to figure out what email is behind each hash.

There are 2 issues with this:

  • Without figuring out the email, you can still find other user's posts on other sites. Indeed, all you need is to search for the MD5 hash. Perhaps the Gravatar user is okay with this, perhaps not.
  • If you are an administrator of an email database, you can search for MD5 hashes and easily find out what and where your users have been posting comments.

Other Issues

  • Non Gravatar user's can be tracked on the web too

    Even if you are not a Gravatar user, many websites will submit your email's MD5 hash to Gravatar and show that hash to the visitor. This means that even non-Gravatar users are now Gravatar users. There is nothing stopping Gravatar from storing this and nothing stopping people you know from finding your posts. Yes, anyone you know can go insane (like many employers who demand your social media credentials) and search the web for your email's md5 hash.

  • Gravatar can haz your blog statistics

    Every time someone visits a Gravatar enabled website, Gravatar gets some of the website's user statistics: visitor's IP, browser/OS and the page visited.

  • Gravatar Knows Where You Have Been

    Of course, because of the above, Gravatar can know about all the posts made by their users on Gravatar enabled sites. Maybe they don't gather that info, but technically it's totally possible.

  • Websites that use Gravatar deliver content from third party sources

    This can be a problem when your website uses HTTPS, using Gravatar means some of your content is no longer encrypted, unless you use Gravatar's https version. But using Gravatars HTTPS version means asking your visitors to trust their SSL certificate, which is issued by GoDaddy !

    I know it is very common practice to have many bits of websites hosted behind many different URLs, but it's always good to limit that where possible. For example, embedding a Youtube video is understandable as it is actual content and generally users can see where this comes from. Pulling avatars, icons and such from all over the web isn't so cool.

    It also means losing control over what parts of your site are actually getting delivered to your visitors and how they are getting delivered. You cannot know if your visitor's connection to Gravatar is broken or altered.

    On a non-privacy insane perspective there could be performance issues, don't forget visitors now have yet another domain name to resolve. Reducing the amount of DNS queries can help what they call "the user experience".

How can we Fix This ?

  • Give your commenter the choice of using Gravatar's service

    Instead of just hashing everyone's email "de force", why not let the commenter chose to have their email hash posted on the Internet ? Perhaps even a Gravatar user may want to make a comment without linking it to their Gravatar profile ?

    I'll stress this a tiny bit more, because so many sites use Gravatar but don't even inform their users in the slightest way. If you want to use Gravatar for every comment, why not, but you should at least inform your users.

  • Not show the email's MD5 hash in the first place

    Why not just make the request to the Gravatar avatar from the website and then deliver that to the visitors ?

    The technical howto in a nutshell is to replace the Gravatar image link with a script and pass a get variable to it, like the comment id. The script then figures out the md5 hash (if the user agreed), requests an image from Gravatar and shows that to the visitor.

    This also helps reduce the amount of DNS queries your visitors will make, instead your website/webserver will do all the work. And your webserver should probably have better bandwidth than your average visitor.

I think this probably extends to many more services than just Gravatar. And Gravatar are probably nice people with pure intentions... . It's not the end of the world, but it would be nice if webmasters put more thought into this sort of thing. The Interweb is still an experimental place, we should still be actively thinking about how we build it not just lazily and passively do things the way they've always been done.

Gravatar Enabled

Starting today, on this website, if you post a comment you can chose to have your email's md5 submitted to Gravatar to see if you have an avatar there I can use. Your email's MD5 hash will not be visible to other users.

This is what the img element that displays the G/avatars looks like on this website:

<img src="/blah/modules/gravatar/gravatar_img.php?id=1" />



Well done, my friend.


You worry too much :_)

Nice article btw.

manu -

Thanks guys. : ]

I worry just a bit, but found an easy solution that should make everyone happy.

Now some fun:

Owiwi, you do not have a Gravatar avatar, however I used your email md5 hash and found 3 other posts you have made using this email address on sites that implement Gravatar in the "stupid easy" way.

I know what kinds of books you are interested in, I think you are subscribed to this other blogger (Internet engineer), maybe you know him IRL. I also know that you have experience using a specific registrar for managing domains and that you recommend them.

Of course I know you IRL, but it's interesting what I managed to find using only the md5 hash of your email. : ]

edit: I forgot to mention that you have used a different display name for each website where I found your posts.. This could indicate that your goal was not to associate them to each other.


Now I should not have used the gravatar option then :)

Scary isn't it ?

manu -

That's the other point, on those other sites you did not have the choice of using/not-using any Gravatar option.

One of those sites does at least indicate that they will use Gravatar, that's a good thing but most sites do not.

manu -

Hey Renerio, I don't think anyone has reconsidered the way they implement Gravatar.

It's been suggested to me that I should make a WordPress plugin, if I do it I'll let you know (as I believe your site is WP).

Umm Haneefah -

This is something I find with a lot of blogs like this. You have said what code is needed but you do not say WHERE to put it. in the header, in an article, in a post?
Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).