Skip to main content

Regarding profile pictures

The Empty Vault Forums Bureau of Security and Signals Intelligence Forum Regarding profile pictures

Tagged: 

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • 17th October 2022 at 8:56 am #86368
    ToadMan
    Participant

    Does anyone know how to/if it’s possible to change your profile picture? If so, how can I?

    20th October 2022 at 3:17 pm #86760
    Rhydwen
    Participant

    It looks as though you need a gravatar profile…. https://en.gravatar.com/ I haven’t tried it.

    21st October 2022 at 1:52 pm #86850
    madness
    Participant

    You also must be registered as a teacher. That way, only dinosaurs are visible.

    10th November 2022 at 10:58 am #87031
    Rhydwen
    Participant

    The profile picture facility looks to have been removed and dinosaurs are no longer visible, or I’ve lost some facility to see them?…

    11th November 2022 at 1:06 pm #87234
    loony
    Participant

    Yes somone pls explain?????

    11th November 2022 at 1:07 pm #87243
    Harry
    Keymaster

    We can’t control the content of external links and the built in profile picture facility required us to allow that, so unfortunately it had to go. Sorry, Harry

    13th November 2022 at 10:20 am #87260
    Rhydwen
    Participant

    [Thanks to rhydwen for the following really clear exposition of the security issues concerning the use of GravatarThe profile pictures were going to be provided by a service provided by Gravatar. Harry]

    All URLs, for the Gravatar images, are based on the use of the MD5-hashed value of the poster’s email address. So, Gravatar would need to know all the posting participant’s email addresses and would then use the MD5-hash, of those addresses, to form the url for the profile picture.

    As Gravatar would serve the profile images for every browser request, Gravatar would know the email address of the poster and also the ip address of all viewers of the post; enabling them to build a picture of the relationship between the poster and the readers of that post.

    If another party could guess the posters email domain (the bit after the @ sign), then they could either search a list of email addresses from that domain, to find a MD5-hash match, or even brute force a match to the username part of the email address – deriving the full email address of the poster from their image’s url.

    None of the above is the sort of thing a super sleuth would welcome.

    13th November 2022 at 3:58 pm #87266
    madness
    Participant

    He’s right. You can see for yourself if you check your gravatar (sub in your email address):
    https://en.gravatar.com/site/check/%5BYOUREMAILADDRESS%5D

    Harry, if you like, I could implement a more secure version using a secret key, like HMAC does,
    if you want to host it.

    17th November 2022 at 11:28 am #87268
    The-Letter-Wriggler
    Participant

    I think its best to use as few off site resources as possible.
    I wonder if some on-site jpg’s could be used and tagged to be displayed where
    needed, one graphic for all participants and THE HAT graphic for keymasters.

    17th November 2022 at 11:29 am #87297
    Harry
    Keymaster

    Nice idea TLW, will talk to the admins about it.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.
Report a problem