In all our worry about NSA taps, the simple fact is that gravatar and now disqus allows anyone NSA, your health insurance company, groups who dislike your group, etc., to track your blog comments, help desk comments, any comment you make around the net.
Your comments to gay rights groups, anti-gay rights groups, cancer support groups, aids support groups, abortion groups, democratic politics, tea party groups, gun rights groups, doctors offices, anyone using wordpress as a front end group.
Anyone can do this with a simple search engine they create, and apparently we don't care because gravatar was setup by a silicon valley favorite and is now owned by Wordpress who was informed of this years ago and refused to consider it a privacy leak. And anyway we like them cutsie cartoon avatars.
Anyone can do this with a search engine that maps pages to md5 hashes and vice versa and either a rainbow table of email addresses, or even easier, a list of your customer's email addresses, because let's see if any of our customers have health problems they didn't disclose.
Any comments you make under your email address are attributable to that email address. Duh. The whole point of gravatar and disqus is to make it clear that your comments on a bunch of different sites are from the same person.
If you don't want a particular comment associated with your name or email, why would you ever fill in that name or email when commenting?
If I go to comment at a wordpress site it says this:
"Email (required) (Address never made public)"
MD5 leaks of my email address into web pages is in fact making my address public.
Hey lmm, duh, when you make a comment under a different name but with the same email address that you think is anonymous at your local hiv testing site, you may not expect that your insurance company can track that down because wordpress has been leaking your md5 address all over the place.
But the point is that you can easily brute force that, especially if you have a list of people that you suspect may be making such comments and their email addresses.
Saying that your email is kept private by taking its MD5 sum is like expecting than an unsalted MD5 sum for a password hash in a publicly accessible password database will be secure for people with weak, brute-forcible passwords like "1234". You are providing a little bit of obfuscation, but no real security.
From the same person, but not from that email address. Bad idea, but as per the article people expect these posts not to be linkable to their e-mail address. Why? Well, obviously, because that's the way Disqus works "usually".
Your comments to gay rights groups, anti-gay rights groups, cancer support groups, aids support groups, abortion groups, democratic politics, tea party groups, gun rights groups, doctors offices, anyone using wordpress as a front end group.
Anyone can do this with a simple search engine they create, and apparently we don't care because gravatar was setup by a silicon valley favorite and is now owned by Wordpress who was informed of this years ago and refused to consider it a privacy leak. And anyway we like them cutsie cartoon avatars.
Anyone can do this with a search engine that maps pages to md5 hashes and vice versa and either a rainbow table of email addresses, or even easier, a list of your customer's email addresses, because let's see if any of our customers have health problems they didn't disclose.