For the Gravatar-lovers amongst us, Anne Laurie sent this link to an interesting discussion of the security implications of Gravatars. They’re not major, but it appears that the Gravatar client sends a hashed version of your email to Gravatar even if you didn’t opt in for the service, which is a bit of an issue, since it allows them to do a bit of anonymous tracking of non-Gravatar users.
My take on Gravatars is that a site that averages a hundred comments a post doesn’t need to push out a hundred images to slow down those comments, so I agree with John’s decision to shitcan them.
While we’re talking redesign, we turned on the mobile theme, which senses the type of browser you’re using and pushes out a stripped-down version if you’re using a mobile device. If you would rather see the non-mobile version of B-J on your smartphone, just scroll down to the bottom of the page and click on the link that says “Switch to the regular site”. Your choice will be preserved. If you want to switch back to the mobile site, there’s a link at the bottom of the left siderail, right under the Sitemeter image.
Update: Some people are reporting that it takes a couple of tries to get their smartphone to switch to the mobile site. Reloading, or re-selecting Balloon Juice from a bookmark seems to help.
For Internet Explorer users, if you can’t switch to a real browser like FireFox or Chrome, turning on compatibility view (Tools/Compatability View) solved some appearance issues for me, at least when I was testing in IE8.
Allen
The link to switch to the regular site does not seem to work, at least not on the iPhone. I just get a message that Safari can’t connect to the server. Note that the Atomic Web Browser app, which can spoof what type of browser it is, still sees the regular site just fine (so I know the regular site isn’t down, there’s just a problem with the link to switch to it).
cleek
strictly speaking, this site wouldn’t be serving the gravatar images, just IMG refs to images on gravatar.com.
mistermix
@Allen: Hit “reload” after you hit that link and the site layout should change. It’s a bug.
@cleek: Yeah, I know, but your browser still needs to render 100 IMG tags just to see the comments.
Jack
Just a browser usage note: I use an RSS reader to peruse weblogs, and it uses IE to render the pages I choose to read. It can use Mozilla, but the version of Mozilla it uses is broken, so I’m forced to use the IE renderer.
For my “regular” browsing I use Firefox.
At the moment, the site looks better in the IE rendered RSS reader than it does in Firefox, but I use NoScript in Firefox and have most of the ad scripts blocked.
Not intended as a complaint, just a comment.
JasonK
No offense but a modern browser rendering 100 image tags is not an issue. I honestly don’t care one way or another about Gravatar images but given the ridiculous amount of ad images in the sidebars right now Gravatars are the least of my worries.
DougJarvus Green-Ellis
Great news about the mobile site.
txbubba
The mobile theme is not appearing on my Android phone (Nexus One). I get the full site. Update: Even though I refreshed several times, I didn’t see it. But after submitting a comment, the mobile theme displayed.
morzer
@mistermix:
100 image tags is not a significant demand on any adequate, i.e. modern site, frankly. This whole post is portentous waffle, and mildly reminiscent of the whole Homeland Security schtick. If John doesn’t like gravatar, fine, but this sort of weak propaganda to cover up a personal preference is unimpressive.
Allen
Thanks mistermix! A reload didn’t actually work; I just got the same “can’t connect” message. But re-selecting it from my bookmarks list did the trick (as, I suppose, re-typing the URL would as well).
The fact that reloading didn’t work might be a peculiarity with how Safari mobile handles reloads. As much as I like the iPhone, I have to say that the Safari browser is the worst browser known to man (yes, even worse than IE, or the bug-ridden late 90s version of Netscape, the precursor to Firefox).
cleek
Test from droid…
Seeing full site…
mistermix
@morzer: 100 images is 300K of images, each of which your browser has to retrieve from cache or over the Internet. I realize that the images are retrieved from Gravatar, but they still have to be served over the user’s pipe, and I’d rather not do that. I had nothing to do with the decision, just happen to agree with it.
As for the rest of your comment, go piss up a rope.
mistermix
@cleek: That’s weird, because my droid picked it up the first time it was enabled. Try selecting the mobile link.
AFAIK, all that Stacy did was to install a WordPress mobile plugin, so there must be some issues with it. I think they may have something to do with caching – depending on what’s set in your cookie (i.e. whether you’ve logged in or commented), WP either pushes out a cached or uncached site. I’ve commented from my phone before so I’m not hitting the cache.
I’m not a WP expert by any stretch so this is mainly a guess.
cleek
@mistermix:
worked the second time.
sweeeeeeeeeeeeeeeeeeeeeeeeet.
just a note: i use that wp-mobile thing on my site, too. and i’ve foudn that it gives users heartache if i try using it with a stock version of wp-cache. wp-cache will cache the desktop version and send that to mobile users. and vice versa. there are fixes for this, though.
Keith G
Avatars are a needless affectation.
I am using Chrome for the first time ever. The site looks good. One Chrome question, though. Every word that I have typed here is underlined by the spell checker. When I right click, the list of corrections all seem to be proper names – such as ‘Jameson’ for ‘names’.
So…what gives? Is this a common Chrome thing?
djork
FYI – The site is still blowing out of the right margin in IE. It works fine in Firefox. Sadly, I do not have FF at work.
mistermix
@djork: Turn on “compatibility view” (Tools/Compatibility View). Fixed it for me in IE8 (which I never use, so thanks for pointing that out).
mistermix
@Keith G: Not happening for me in Chrome, so I don’t know what that’s about.
Robertdsc-iPhone
The mobile version loads fine on my iPhone 3G. Thanks for enabling it.
Violet
Rant followed by question.
Rant: I DETEST Gravatar for reasons listed above plus others. I avoid them at all costs and am really pissed off that Gravatar was sprung on us without warning. I avoid them at all costs and would have avoided commenting here if B-J used Gravatar when I first visited. Based on that link, plus other info, I’m guessing that Gravatar has now harvested my email that I use here to track my usage all over the web. And that pisses me off even more. Fucking bastards Gravatar. I’m going to have to change my email in various places.
Question: If I change my email here can I keep my name or does it go with the email? Will I have to be put through moderation again the first time I use the new email? How does that work?
Violet
@djork:
I think this is some kind of script issue with an ad that is being displayed when it happens. If you keep reloading the page eventually the ad changes and it goes away. Obviously the interference is a problem but there is a workaround.
Compatability view doesn’t work for me.
Violet
Other issues:
Comment box seems much smaller than on previous iteration. Is that just me?
Post titles and links are significantly lighter than the surrounding text. They are so light they are almost hard to see if the screen brightness isn’t high.
mistermix
@Violet: No, Gravatar didn’t harvest your email. WordPress sent a hash (basically a big number generated from your email) to Gravatar. It is very, very difficult to retrieve your email from that hash, and far too costly to make it worthwhile for Gravatar to do it.
You don’t need to change your email.
Violet
@mistermix:
Isn’t what you are saying in the reply to my post different from what you said in the original post:
If they can, and if tracking email usage is valuable in some way, which is must be because they are doing in via signed-up users, then why wouldn’t they do it? All they have to do is write a script to harvest emails from the hash. How hard can that be? And voila, more emails to follow.
How are you so confident they don’t/aren’t?
Keith G
@mistermix: I am pretty sure it is all about my intallation of Chrome. I just wanted to know if this was a semi-common glitch. Chrome help forums show similar instances, but no concensus on a fix.
Great first impression.
Foxhunter
If your Iphone is giving you the ‘cannot contact server’ message, simply type the following URL in safari:
https://balloon-juice.com/?wpmp_switcher=mobile
This should load up the site just fine.
However, this does not auto load the mobile version from a http://www.balloon-juice.com.
YMMV.
mistermix
@Violet: The reason that it is “anonymous tracking” is because they can’t reverse-engineer your email from the hash.
It’s like this. If your email is “[email protected]” this gets sent to gravatar as some number, say, “123456”.
Gravatar looks up “123456” and says, hmm, no, I don’t have any record of “123456”. And I can’t tell that “123456” is “[email protected]”. But, even if I don’t know that, I can track whenever “123456” visits a site that uses Gravatars.
That’s what I meant by anonymous tracking. It is no big deal, and I said it was “a bit of an issue”, i.e., not much of one.
Violet
@mistermix:
Okay, thanks for the explanation. I guess maybe since I try to avoid Gravatar sites I might be okay.
My issue with them goes back a long way and is related to a site where I first heard about them. I had some issues with them then and nothing I’ve heard about them or seen in use has made me feel better about them.
RobertB
@Violet – they can track the hash values across all the sites that use Gravatar, but they can’t tie the hash value to the actual email value unless the owner of the email signs up at the Gravatar site. And getting from the hash to an actual email address is hard – you have to randomly generate email addresses and see if their hash values match the ones you have.
cleek
FWIW, Gravatar is owned by the company that owns WordPress.
Elie
I truly cannot understand why I have problems with this website alone… that whatever ALL the others do or don’t do in their web design, this one has chosen a path that will not allow it to display correctly on the browser that I must use. Scolding me for not having access to Firefox just is not right. Again,this is the ONLY site I have trouble with.
WaterGirl
@Elie: I am a member of the I hate IE club, but I hope they work on resolving this issue for you because your comments always add a lot to the discussion. Someone on another thread included the code that they think would fix this problem, so it might not take much time to implement a fix.
Martin
The 100 images problem isn’t being fully understood. It’s 100 images from some other site. If that site is slow, then the page will be slow to load. That’s one reason why BJ is so horribly slow sometimes – one of the ads (loaded from another site) won’t load, which causes the page to hang up until it can time out and resume.
The fewer of these things Cole relies on, the faster the site will go.
p mac
To whom it may concern:
the IE problems are not in balloon-juice per se, but associated with one set of ads or another.
It loads fine if you open Tools\Internet Options\Security\Restricted Sites
and block:
http://*.blogads.com
http://*.pulse360.com
http://*.googlesyndication.com
(Actually, pulse360 is no longer on balloon juice, but it’s a killer in general.)
mistermix
test
MsSKWEsq
I’m hoping that leaving a comment here will place a cookie on my iPhone and allow me to use the mobile site! Thanks John and Mistermix for your help!
MsSKWEsq
It worked well! Using mobile site right now! Very cool!
worn
Cross-posting my comments from a later thread in a tenuous bid for relevancy…
Had a chance this morning to look at the site rebuild on the iPhone. Though I was a bit put off at first by the missing balloon, I realized it’s non-appearance is part of the mobile device plugin stuff.
I really do like the fact that the column width has been winnowed down so as to make the font a nice readable size. The only odd thing is the title ‘bars’ on the front page have a font that is about 65% the size of the byline & post below. This is also true for the navigation ‘bars’ shown when having clicked through to a post (i.e., ## comments on this post, Leave a comment, Search Site, etc.) The really odd thing is that while viewing a particular post, the title ‘bar’ then has a larger, more appropriately sized font. Seems like this should also be the way the front page renders, but I wonder if this a particularity of FYWP or the iPhone browser?
worn
Also: if it were my site I think I’d make the BJ Lexicon, FAQ, & Privacy Policy links much smaller on the front page (they literally push all the content off screen). And I lose them on within the individual comment threads.
But of course it’s not my site!
terry chay
That thread on privacy risk on gravatar is paranoid trash. The reality is Gravatar is a service of Automattic/WordPress that started as a project outside the company. The service is subject to our privacy policy which is clearly delineated. http://automattic.com/privacy/. This makes me think the original poster is a very, very poor lawyer (or a liar).
The idea behind gravatar is to create a globally recognized avatar without requiring login. If there was a way to open-source it, would have been. In fact, all Automattic products that can be open-sourced are made freely available under the GNU Public License (for instance, you know the blog called WordPress of FYWP fame?). Exceptions are things like Gravatar and the Akismet anti-comment spam which are impossible to open-source. But other than those FREELY available services, you see tons of plugins are updated by Automattic employees in order to make it work on 20 million blogs on the internet (in addition to blogs at the New York Times, Fox News, CNN, ICanHazCheezburger, etc.), and you can build your own WordPress.com-style multi-site now very, very quickly (it’s built into WordPress 3.0) using the free software and same plugins used on the site since they’re all free and open—in fact, there are a number of sites and blog networks that do, and outcompete WordPress.com in certain markets.
In other words, explain to me how Automattic can provide a Gravatar service AND open source it in a manner that doesn’t destroy your privacy? Ummm… it can’t.
I do not work on Gravatar, but to my knowledge, there has been no plans to monetize the data collected (not directly). The major monetization centers around Gravatar merging accounts with WordPress.com. WordPress.com (via upgrades) and certain WordPress.org add-ons (Aksimet, VaultPress) are monetized this way. Gravatar? Umm that sort of defeats the purpose.
It’s been a while since I looked at Gravatar’s codebase, but I never saw us storing e-mails or hashes of non-gravatar users anywhere. Instead when an e-mail hash of non-gravatar users is provided, it get auto-generated gravatars.
If you created an account at Gravatar, “deleting your account” is as simple as deleting all the data in the account. This forces an auto-generated gravatar instead of one you provide. I suspect deleting your WordPress.com account will also delete your gravatar account, since the database should be shared at this point.
Finally your e-mail address isn’t sent to Gravatar. Did the person even look at the &#(@ API? Instead a one-way secure hash of your e-mail is sent to gravatar. Duh! That’s the whole point. We don’t know the e-mail and you should never send the e-mail in the clear. The only way to know what the e-mail is is to already know the e-mail and test it to see if there is a gravatar registered for it.
That’s the actual only privacy hole I know about gravatar. If you have a list of e-mails, you can probably test the validity of them against what gravatar thinks is valid. Boo f—ing hoo! Now with Facebook social inbox, I can test and send e-mail to anyone who has social inbox active via Facebooks public API!
Note: I work at Automattic (WordPress) so I’m definitely biased. I don’t speak for the company. I work on a different part of the site than Gravatar.
@Violet: You can detest gravatar but please get it straight instead. A quick scan of the API tells you that your e-mail is not sent to gravatar.com. Instead, a one-way secure hash of the e-mail address is sent. Gravatar has no way of knowing your e-mail unless you have already provided it. Unless you think we’re smarter than everyone at the NSA and every security expert in the world.
WaterGirl
@terry chay: I had privacy concerns about gravatar, too, so I appreciate that you have shared this information here. It’s really helpful.
Not so helpful, though, is berating someone because they may not understand terms like one-way secure hash and a quick scan of the API. Maybe next time you can leave that part out? :-)
Nik
I hate that the BJ RSS feed starting with yesterday’s “The First Gulf War” post no longer contains any useful formatting (like for block quotes) or shows the entire article. I read BJ and all my other blogs exclusively in my RSS aggregator, and now it’s much less likely that I’ll continue doing so since the RSS summaries available to me are so annoying. I follow too many blogs to consider opening up separate tabs for each blog home page.
I don’t care if you embed ads in the RSS feed itself — TPM and Sully do this effectively without denigrating the readability and quality of the RSS feed.
corwin
short comment for mobile access