Disclaimer: I am not staff, not support, nothing but a customer.
Security through obscurity never did anyone any good, and I find it a trifle worrying that Dreamwidth is not being tremendously transparent on this matter.
As best I understand it, the security concern involves cookies. Fetching data from a /userpics/ directory requires the domain cookie to be transmitted for each picture, increasing the risk of it being compromised. Fetching data from a specific iconography subdomain would only jeopardise the cookie for that icon subdomain. As these are freely-available pictures, cookies can quite reasonably be done away with.
It is likely that this approach could also offer marginal speed gains; these alone may not outweigh the cost of migration. Re-writing the source code to abolish cookies entirely may be an unreasonably large task for this suggestion.
Again, the above is what I think is the most likely security concern. This summary may be completely and utterly inaccurate.
no subject
Security through obscurity never did anyone any good, and I find it a trifle worrying that Dreamwidth is not being tremendously transparent on this matter.
As best I understand it, the security concern involves cookies. Fetching data from a /userpics/ directory requires the domain cookie to be transmitted for each picture, increasing the risk of it being compromised. Fetching data from a specific iconography subdomain would only jeopardise the cookie for that icon subdomain. As these are freely-available pictures, cookies can quite reasonably be done away with.
It is likely that this approach could also offer marginal speed gains; these alone may not outweigh the cost of migration. Re-writing the source code to abolish cookies entirely may be an unreasonably large task for this suggestion.
Again, the above is what I think is the most likely security concern. This summary may be completely and utterly inaccurate.