(question) Privacy and Gravatar

[hugoroy]

I was just thinking of the privacy implications of using Gravatar in light of the benefit.

I agree that it's nice to have the faces of people you're writing with. It make the experience more personal and pleasant. But I'm not sure Gravatar is the best way for this.

On the one hand, in my experience so far, very few of my contacts got a picture on Gravatar. So the benefit of Gravatar itself in that regard seems very limited.

On the other hand, I am wondering of the privacy implications of relying on Gravatar. Wouldn't that mean that they could find out whose email I'm reading or even all the people who participate in one thread? That seems like a big information leak about private social circles to me.

[gauteh]

Yeah, it should be configurable at least. There are other providers like google and twitter too for avatars. If it is removed it would be nice with some local algorithm which picks a background color and and uses the initials (could use help for the html/css in that case).

My biggest concern now is that it might be possible to include some JS in an email and send something out again, I think I enabled JS in webkit just to be able to use code highlighting and mathjax.

Finally, GPG is only partially implemented. Only very rudimentary decrypting works.

[gauteh]

JS stuff is related to #49.

[gauteh]

Gaute Hope writes on January 10, 2016 22:26:

My biggest concern now is that it might be possible to include some JS in an email and send something out again, I think I enabled JS in webkit just to be able to use code highlighting and mathjax.

This should not be possible with plain-text since it is escaped when it is passed through gmime's html filter. Opening a html part (potentially sketchy) might allow for it.

[emdete]

how about an external script that grabs the avatar-by-email? i found as well that the avatar doesn't seem to be cached at all and retrieved for every single mail - which takes several seconds for a 60 mail thread here.

[gauteh]

Gaute Hope writes on January 11, 2016 10:58:

Gaute Hope writes on January 10, 2016 22:26:

My biggest concern now is that it might be possible to include some JS in an email and send something out again, I think I enabled JS in webkit just to be able to use code highlighting and mathjax.

This should not be possible with plain-text since it is escaped when it is passed through gmime's html filter. Opening a html part (potentially sketchy) might allow for it.

Also, when pressing C-i to show remote images: all remote requests are approved. Need to be fixed. Added some more warnings about that.

[gauteh]

By the way, only the md5 hash of the addresses involved in a conversation is sent to gravatar. But they would have to have a dictionary somewhere..

[hugoroy]

Yes, but that's still an issue because it allows Gravatar to see the social graph in (usually) private conversations.

Also if you're actually subscribed to gravatar, I suppose that they can match this with the email address.

Not saying Gravatar is evil but I think that we should be careful with that option.

Alternatives could be:

• to copycat Android and iOS and display initials on a colored background;
• to work on integration with contacts apps (opening a whole can of worms which I think is far from necessary right now especially with notmuch being able to scan addresses).

These above are not mutually exclusive anyway.

Envoyé de mon appareil mobile. Sent from my mobile device.

[gauteh]

Hugo Roy writes on juni 13, 2016 14:07:

Yes, but that's still an issue because it allows Gravatar to see the social graph in (usually) private conversations.

Also if you're actually subscribed to gravatar, I suppose that they can match this with the email address.

Not saying Gravatar is evil but I think that we should be careful with that option.

Alternatives could be:

• to copycat Android and iOS and display initials on a colored background;
• to work on integration with contacts apps (opening a whole can of worms which I think is far from necessary right now especially with notmuch being able to scan addresses).

These above are not mutually exclusive anyway.

Yes - true. It is now possible to make plugins to do your own avatar stuff, @emdete is experimenting with this now - then I don't care how hairy it is. There should be a common place to gather useful user-plugins in a repository (this discussion should proceed on #156).

regards, gaute

[jimcheetham]

libravatar.org is a federated alternative to gravatar - so if you control your own domain you can control your own images. However, there will be a call to their servers first. I know that their service is concerned with security rather than privacy, but I know the lead developer is very interested in privacy and therefore will be happy to answer questions. In theory it's a client-side drop-in replacement for gravatar by just changing the URL called.

[gauteh]

Jim Cheetham writes on mars 13, 2017 2:39:

libravatar.org is a federated alternative to gravatar - so if you control your own domain you can control your own images. However, there will be a call to their servers first. I know that their service is concerned with security rather than privacy, but I know the lead developer is very interested in privacy and therefore will be happy to answer questions. In theory it's a client-side drop-in replacement for gravatar by just changing the URL called.

You could also implement this in: https://github.com/astroidmail/astroid-plugin-avatar