Regarding profile pictures
The Empty Vault › Forums › Bureau of Security and Signals Intelligence Forum › Regarding profile pictures
Tagged: help request
- This topic has 9 replies, 6 voices, and was last updated 4 months, 1 week ago by Harry.
17th October 2022 at 8:56 am #86368ToadManParticipant
Does anyone know how to/if it’s possible to change your profile picture? If so, how can I?20th October 2022 at 3:17 pm #86760RhydwenParticipant
It looks as though you need a gravatar profile…. https://en.gravatar.com/ I haven’t tried it.21st October 2022 at 1:52 pm #86850madnessParticipant
You also must be registered as a teacher. That way, only dinosaurs are visible.10th November 2022 at 10:58 am #87031RhydwenParticipant
The profile picture facility looks to have been removed and dinosaurs are no longer visible, or I’ve lost some facility to see them?…11th November 2022 at 1:06 pm #87234loonyParticipant
Yes somone pls explain?????11th November 2022 at 1:07 pm #87243HarryKeymaster
We can’t control the content of external links and the built in profile picture facility required us to allow that, so unfortunately it had to go. Sorry, Harry13th November 2022 at 10:20 am #87260RhydwenParticipant
[Thanks to rhydwen for the following really clear exposition of the security issues concerning the use of GravatarThe profile pictures were going to be provided by a service provided by Gravatar. Harry]
All URLs, for the Gravatar images, are based on the use of the MD5-hashed value of the poster’s email address. So, Gravatar would need to know all the posting participant’s email addresses and would then use the MD5-hash, of those addresses, to form the url for the profile picture.
As Gravatar would serve the profile images for every browser request, Gravatar would know the email address of the poster and also the ip address of all viewers of the post; enabling them to build a picture of the relationship between the poster and the readers of that post.
If another party could guess the posters email domain (the bit after the @ sign), then they could either search a list of email addresses from that domain, to find a MD5-hash match, or even brute force a match to the username part of the email address – deriving the full email address of the poster from their image’s url.
None of the above is the sort of thing a super sleuth would welcome.13th November 2022 at 3:58 pm #87266madnessParticipant
He’s right. You can see for yourself if you check your gravatar (sub in your email address):
Harry, if you like, I could implement a more secure version using a secret key, like HMAC does,
if you want to host it.17th November 2022 at 11:28 am #87268The-Letter-WrigglerParticipant
I think its best to use as few off site resources as possible.
I wonder if some on-site jpg’s could be used and tagged to be displayed where
needed, one graphic for all participants and THE HAT graphic for keymasters.17th November 2022 at 11:29 am #87297HarryKeymaster
Nice idea TLW, will talk to the admins about it.
- You must be logged in to reply to this topic.