2

In our c# application we are not using MD5 as it is not secure, we are using SHA256. but when we use SHA256 we are not getting any images from gravatar. My questions are

  1. will gravatar support SHA 256?
  2. what is the alternative to gravatar that supports SHA256, We don't want to install or include any libraries as gravatar requires just the URL to get he image.
SO Stinks
  • 3,258
  • 4
  • 32
  • 37
Raghavendra Prasad
  • 649
  • 1
  • 5
  • 12
  • You'd better show the relevant C# code, because this question makes no sense as-is. What are you using MD5 for? If you're worried about "security", is using a third party (such as gravatar) secure in the first place? Is SHA256 a better solution for your security concerns? Remember: SHA256 is better than MD5 for a _single_ specific security task, cryptographic hashing. – MSalters Jan 06 '16 at 08:52
  • We have a security policy to not to use weaker algorithms like MD5. but as per [this](http://www.danesparza.net/2010/10/using-gravatar-images-with-c-asp-net/) gravatar used MD5 to render the Profile Image. – Raghavendra Prasad Jan 06 '16 at 12:14
  • Right, that explains a lot. You're applying a security policy which you apparently don't understand. Or do you understand the risk of using MD5 in this situation? – MSalters Jan 06 '16 at 12:48
  • If you're worried about [brute-forcing hashes](https://meta.stackexchange.com/a/79856/259816) to find email addresses, SHA256 won't buy you much; you want a password-grade algorithm like [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) or [bcrypt](https://en.wikipedia.org/wiki/Bcrypt). If you're worried about being able to correlate between users, each site must salt ([for example](https://meta.stackexchange.com/a/44846/259816) `username+sitename@example.com` in place of `username@example.com`), though this can have supportability problems and it defeats much of the point of a generic avatar. – Adam Katz Feb 05 '18 at 22:07

1 Answers1

4

As MSalters already mentioned, I don't think it really matters in this use case. You're not doing anything cryptographic, so I don't think there are any issues with MD5 in this scenario. However, if you do specifically want an alternative that supports SHA-256 hashes of emails to get user avatars (though definitely not as popular as gravatar), there's Libravatar. Libravatar's API documentation does state that it supports SHA-256 for retrieving avatars.

Community
  • 1
  • 1
Omar Bahareth
  • 875
  • 6
  • 22