Comments on Closing the open redirect vulnerability in the Libravatar ecosystem

Be civil and read the entire article first. This is not a support forum. Comments from new contributors are moderated. English only.

Leave a comment

Required. Optional. E.g. your homepage, Twitter. or Email required unless anonymous. Not published or shared. Reuse to be recognized as the same commenter.
Plain-text only. Begin lines with a > character to quote.

So, this will be the first comment in this new comment system. Hello world!

Anyhow, Libravatars and Gravatars leak too much information. Passing around a hash of your email address isn’t a good idea. That’s why I’m not using them in this comment system. Instead, you’ll get a unique avatar generated from a salted version of your email address.

You get a unique avatar that people can use to recognize you in the comment system, but one that can’t be used to track you across the web.


Thanks for the heads-up about the vulnerability on my server! I didn't patch it, but removed Libravatar from my server and domain. I liked the idea of it, but no websites (not even yours) support it. Cheers.