gravitas
gravitas copied to clipboard
Gravitas
The serious, sophisticated globally recognized avatar
This is a thin proxy that runs in front of Gravatar, and lets you use the service without leaking (a) your users' emails/identities and (b) a whole bunch of traffic information to Gravatar-the-service.
Leaking users' info?
Yes. Gravatar is leaky, you give up user email addresses, let peoples' content be linked across sites, and send a tremendous amount of information to Gravatar with each request. It's not great, but the service is convenient.
What Gravitas solves
- Much more difficult to identify the same user across sites
- Masks users' personal data so Gravatar can't see it, including:
- IP address
- Browser information (and all other request headers)
- Referrer
- Total number of requests (when run behind a caching proxy)
How to Use
Use it with fly.io
We built a global proxy for developers, it works seamlessly with Gravitas. You can set it up here with a few clicks: https://fly.io
Run it standalone
First, generate a base64 encoded 32 byte encryption key:
irb> key = SecureRandom.urlsafe_base64(32)
Set the key as an environment variable named GRAVITAS_KEY
.
Run the app with Ruby, ruby app.rb
(this uses port 4567 by default)
Generate encrypted Gravatar parameters.
curl -H 'Authorization: <key>' http://localhost:4567/avatar/767fc9c115a1b989744c755db47feb60?s=132
Generate from email address (and other gravatar parameters)
curl -H 'Authorization: <key>' -X POST -d '[email protected]&s=132' http://localhost:4567/avatar
Caveats
- We don't obfuscate users' actual images that we return. If a user has a unique gravatar, you can still find all the places they use it with a reverse image search.
- This hides a lot from the backend gravatar servers, but they can still determine that requests are happening for a given email.
- Getting the encrypted parameter from a webservice is relatively expensive. You should probably store a full "avatar url" in your own database, rather than trying to use the
POST
API in realtime.