Discourse 1.4 defaults to serving “letter” avatars from avatars.discourse.org, to speed things up by default and take advantage of global caching.
Unfortunately, this also means that Discourse’s servers learn about the browsing activity of all users of Discourse instances which have this default in place, on any page with at least one letter avatar. While Discourse (the company) may be as trustworthy a steward of such information as possible, just having that information in one place is a serious privacy risk (especially if it were stolen or compelled by legal order).
In addition, there is a security risk of avatars.discourse.org being compromised and used to serve malicious images, or to serve redirects to other third-party domains who wish to use collected browsing activity for malicious purposes.
The simplest and most complete way to mitigate the privacy and security risks for Discourse (the platform)'s community is to make the avatar service opt-in, rather than opt-out. You could create a commented out section of
site_settings.yml that helpfully shows people how to opt-in, as well.
I’m a little confused as to why a global CDN for avatars is desirable enough to be worth the privacy risk, in the age of HTTP/2 and/or SPDY. Have any tests been done in an HTTP/2 or SPDY environment to measure the performance impact of downloading additional avatars, once the TCP connection to the main domain is already open?
HTTP/2 and SPDY may not always be available for each host, and if the resource is already cached, that’s obviously faster than downloading it no matter what – but it also won’t take that long for the browser to cache most of an instance’s own self-hosted letters either, even over HTTP 1.1. There’s only 26 letters, and not all of them are commonly used.
So to me, the performance benefit here is so negligible that the privacy and security concerns totally outweigh it. I strongly recommend that Discourse revert this feature for Discourse 1.5.