What issues are on your mind? What would you like to see us working on this sprint or next?
As highlighted in this question nearly 4 years ago, Area 51 exposes our email addresses on a silver platter. Almost. (Well, sorta)
From 2013 to 2023, Stack Exchange had been salting our email addresses prior to hashing them, before sending them off to Gravatar to be, in most cases, transformed into an Identicon. From 2023 onwards, they've actually stopped using our email addresses altogether.
However, Area 51 still operates on a 2011 fork of the SE engine, which means that both old and newly created Gravatar avatars continue to use the unsalted hash of our email addresses. For instance, my Identicon on Area 51 can be traced back to: https://www.gravatar.com/avatar/a454773f0a95c0855e768b7c8be13e0b?s=128&d=identicon&r=PG. Here, a454773f0a95c0855e768b7c8be13e0b is simply the raw MD5 hash of my email address. This issue affects all users on Area 51. (If you don't believe me, test it yourself!)
As I'm sure many of you know, MD5 has been widely considered "cryptographically broken" for a long time. It isn't a particularly strong hash in this day and age, and quite easy to brute-force. I have no doubt that among the thousands of email addresses associated with Area 51, at least one could be found in a wordlist or potentially be brute-forced. This has probably occurred in the past, where a user's email address was (mostly likely) cracked from its MD5 hash by another user (back when the hashes were included in the data dumps).
Despite raising this concern four years ago, the status remains status-deferredstatus-deferred. Please, oh please, can something be done about this serious privacy risk?
