After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 730743 - Add an option to disable sender's photo search at gravatar.com
Add an option to disable sender's photo search at gravatar.com
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: general
3.12.x (obsolete)
Other All
: High major
: ---
Assigned To: Evolution Shell Maintainers Team
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2014-05-26 01:57 UTC by Christoph Anton Mitterer
Modified: 2015-02-23 09:05 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Christoph Anton Mitterer 2014-05-26 01:57:55 UTC
pparently Evolution silently introduced the "feature" of querying
Gravatar for images of your email contacts.

AFAICS this is on by default and I wouldn't have found a way to
disable it.

This basically discloses all of whom I have contact with to gravatar
or anyone on the wire...
Not so good. o.O

I mean is anyone really thinking something when implementing such "features"? Where else are my contacts reported to? NSA? Facebook?
Highly disturbing.


Cheers,
Chris.
Comment 1 André Klapper 2014-05-26 10:11:01 UTC
Thanks for reporting. Whou, yeah, disturbing. 

Introduced in https://git.gnome.org/browse/evolution/commit/?id=91aee2a805d70c9f7a5f0d089139fbfc710939c1

Not documented in the user docs so no big blinking warning to add there.

To switch off: "Edit > Preferences > Mail Preferences > Headers > Sender Photograph > Show the photograph of the sender in the mesage preview"
Comment 2 Milan Crha 2014-05-27 10:39:41 UTC
(In reply to comment #1)
> To switch off: "Edit > Preferences > Mail Preferences > Headers > Sender
> Photograph > Show the photograph of the sender in the mesage preview"

Yeah, I also do not like the feature. The problem with the above option is that you disable also addressbook lookups, which can be fast and so on.

A workaround would be to delete the gravatar module, located at
   $PREFIX/lib/evolution/3.XXX/modules/module-gravatar.*

(it can be /usr/lib/... or /usr/lib64/lib/... and so on).

I'll add an option, disabled by default, which will influence whether the gravatar module will be used or not.
Comment 3 Milan Crha 2014-05-27 11:12:28 UTC
One observation, I hope a good news, the gravatar.com is not asked with the sender's email address, but with an MD5 hash of it, from which they cannot recognize the address, unless it's already stored on the server. That means that this eats only a band-width, but no private information is exposed (maybe except of the requester's address).
Comment 4 Christoph Anton Mitterer 2014-05-27 12:54:35 UTC
@Andre:
Well I guess no one could guess from that:
"Edit > Preferences > Mail Preferences > Headers > Sender
Photograph > Show the photograph of the sender in the mesage preview"
that this includes disclosing information to gravatar... most people will simply think about the X-Face header and the image included in the email.

@Milan:
I don't think having the hash is of any help here...
a) gravatar knows all the addresses they, so THEY can easily build up the tables and just compare.
Any many people do have a gravatar account, since the way it's usually used (websites) there's no information leakage.
And since I'd expect that there is no salting,... then both, gravatar and other people on the wire can at least check whether you have contact with "well known" addresses.

Cheers,
Chris.
Comment 5 Milan Crha 2014-05-27 14:14:41 UTC
The below commit adds a GSettings option "search-gravatar-for-photo" to org.gnome.evolution.mail and make it use to the gravatar source. There is also added a check box below the option named at comment #1 with a description "Search gravatar.com for the photograph of sender", which also influences the new GSettings key. The key, thus also the gravatar.com search, is disabled by default.

I cannot commit this to stable due to new translatable strings and a UI change. Maybe a simplified version without the UI change would be possible (what do you think, Andre?), the text in GSettings is not shown anywhere but DConf editor, which is not a place where users should usually look.

Created commit 82076f2 in evo master (3.13.3+) [1]

[1] https://git.gnome.org/browse/evolution/commit/?id=82076f2
Comment 6 bugzilla.gnome.org 2014-09-01 11:04:54 UTC
I noticed this the other day too and immediately blocked access to gravatar using my hosts file.

This should be optional and disabled by default as per Milans patch.

One other thing to add: Please remember to always use SSL if it is an option. I.e, please change http://www.gravatar.com/ to https://secure.gravatar.com/
Comment 7 André Klapper 2014-09-01 13:24:54 UTC
(In reply to comment #6)
> Please remember to always use SSL if it is an option.
> I.e, please change http://www.gravatar.com/ to https://secure.gravatar.com/

Please file a separate ticket for separate requests
Comment 8 André Klapper 2015-02-22 16:35:07 UTC
That would be the line
  #define AVATAR_BASE_URI "http://www.gravatar.com/avatar/"
in modules/gravatar/e-gravatar-photo-source.c

mcrha: Fine with changing that?
Comment 9 Milan Crha 2015-02-23 09:05:31 UTC
Yes, sure thing. It only got lost in my bug mails, otherwise I'd do it sooner.

Created commit 7d28bdf in evo master (3.15.91+)