I recently implemented gravatar on a site for a friend and he was worried about the security of the 3rd party service.
I told him at the time the biggest issues are likely to be confirmation attacks and leakage attacks.
Fast forward to today and it I happen across this post.
What it comes down to is that a lot of the display names people use on a site are similar to the user part they use on their email addresses. Combine this with the ability to check the top providers (gmail/yahoo/hotmail etc) easily and you can typically confirm that an email address is genuine or not using offline methods by comparing the hash in the page to the hash from the calculated hashes for the username and provider.
I’m not sure that there is an easy solution here.
You could ask the user to add a new email address for the site and associate the picture with it. You’d only leak the site email then, but this is extra overhead for the user.
You could ask the user to upload their own image to the site and opt-out of gravatar, but both of these negate one of the reasons of using it in the first place - to reduce user effort.
Much that I dislike the data-creep of big corps like facebook, google or twitter, I think they all have it right in that you use a site specific id that is unrelated to your email. This mostly prevents external leakage, but you are still leaking a lot of information to the identity provider.tags: