My fresh WordPress upgrade now infected my blog with 3rd party content; how offensive.
One of the ‘features’ in WordPress now that folks who read my blog and leave comments get avatars. Well the would, except I turned it off. These avatars are injected into the page from a gravatars.com. Gravatars is a divisiton of Automattic, i.e. the WordPress company.
These avatars have assorted problems. First off they let Automattic track my users. Argh. Secondly the design for gravatars makes only a slight effort to maintain the privacy of the users. The avatars are indexed by taking the user’s email address and jumbling it. So email@example.com becomes 3b3be63a4c2a439b013787725dfce802. That’s bad. It’s not particularly secure; with a good dictionary of email addresses you can recover the user’s email address.
That’s also a globally unique identifier for the user; enabling anybody with access to a good web crawl to find other places the same user has left comments. Bleck.