diff --git a/humbug/settings.py b/humbug/settings.py
index 3c03f98930..50aa5cbde8 100644
--- a/humbug/settings.py
+++ b/humbug/settings.py
@@ -99,6 +99,12 @@ SECRET_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
 # username generation.
 HASH_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
 
+# Use this salt to hash a user's email into a filename for their user-uploaded
+# avatar.  If this salt is discovered, attackers will only be able to determine
+# that the owner of an email account has uploaded an avatar to Humbug, which isn't
+# the end of the world.  Don't use the salt where there is more security exposure.
+AVATAR_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+
 # Tell the browser to never send our cookies without encryption, e.g.
 # when executing the initial http -> https redirect.
 #
diff --git a/templates/zephyr/left-sidebar.html b/templates/zephyr/left-sidebar.html
index 80498176bb..f2a74f1a87 100644
--- a/templates/zephyr/left-sidebar.html
+++ b/templates/zephyr/left-sidebar.html
@@ -3,7 +3,7 @@
               <div class="upper_sidebar">
                   <div class="brand">
                     <img class="img-rounded gravatar-profile"
-                         src="https://secure.gravatar.com/avatar/{{ email_hash }}?d=identicon&s=60" />
+                         src="{{ avatar_url }}&s=60" />
                     <span id="my_information">
                       <span class="my_fullname">{{ user_profile.full_name }}</span><br />
                       <span class="my_email">{{ user_profile.email }}</span>
diff --git a/templates/zephyr/navbar.html b/templates/zephyr/navbar.html
index 51c8a1cc52..3f5463685b 100644
--- a/templates/zephyr/navbar.html
+++ b/templates/zephyr/navbar.html
@@ -9,7 +9,7 @@
           <a class="brand skinny-user-gravatar visible-phone" href="#"
              title="{{user_profile.full_name}} - {{user_profile.email}}">
             <img class="img-rounded gravatar-profile"
-                 src="https://secure.gravatar.com/avatar/{{ email_hash }}?d=identicon&s=30" />
+                 src="{{ avatar_url }}&s=30" />
           </a>
           <div id="searchbox">
             <form id="searchbox_form" class="form-search navbar-search">
diff --git a/templates/zephyr/settings.html b/templates/zephyr/settings.html
index cc3a76fa18..0aeff9b5ef 100644
--- a/templates/zephyr/settings.html
+++ b/templates/zephyr/settings.html
@@ -68,8 +68,8 @@
               <label class="control-label">Your picture</label>
               <div class="controls">
                   <a href="https://en.gravatar.com/emails" target="_blank" class="change_gravatar_button">
-                      <p><img class="img-rounded gravatar-profile"
-                           src="https://secure.gravatar.com/avatar/{{ email_hash }}?d=identicon&s=60" /></p>
+                      <p><img class="img-rounded gravatar-profile user-image-settings"
+                           src="{{ avatar_url }}&s=60" /></p>
                       <p>Change at Gravatar.com</p>
                   </a>
               </div>
diff --git a/zephyr/lib/avatar.py b/zephyr/lib/avatar.py
index d1589b2743..b47f6c38e5 100644
--- a/zephyr/lib/avatar.py
+++ b/zephyr/lib/avatar.py
@@ -1,4 +1,5 @@
 from __future__ import absolute_import
+from django.conf import settings
 
 import hashlib
 from zephyr.lib.utils import make_safe_digest
@@ -11,3 +12,21 @@ def gravatar_hash(email):
     # typo an address or someone manages to give us a non-ASCII address, let's
     # not error out on it.
     return make_safe_digest(email.lower(), hashlib.md5)
+
+def user_avatar_hash(email):
+    # Salting the user_key may be overkill, but it prevents us from
+    # basically mimicking Gravatar's hashing scheme, which could lead
+    # to some abuse scenarios like folks using us as a free Gravatar
+    # replacement.
+    user_key = email.lower() + settings.AVATAR_SALT
+    return make_safe_digest(user_key, hashlib.sha1)
+
+def avatar_url(user_profile):
+    if user_profile.avatar_source == 'U':
+        bucket = settings.S3_AVATAR_BUCKET
+        hash_key = user_avatar_hash(user_profile.email)
+        # ?x=x allows templates to append additional parameters with &s
+        return "https://%s.s3.amazonaws.com/%s?x=x" % (bucket, hash_key)
+    else:
+        hash_key = gravatar_hash(user_profile.email)
+        return "https://secure.gravatar.com/avatar/%s?d=identicon" % (hash_key,)
diff --git a/zephyr/models.py b/zephyr/models.py
index 6327162e44..33c37096b4 100644
--- a/zephyr/models.py
+++ b/zephyr/models.py
@@ -10,7 +10,7 @@ from zephyr.lib.utils import make_safe_digest
 import os
 from django.db import transaction, IntegrityError
 from zephyr.lib import bugdown
-from zephyr.lib.avatar import gravatar_hash
+from zephyr.lib.avatar import gravatar_hash, avatar_url
 from django.utils import timezone
 from django.contrib.sessions.models import Session
 from django.utils.html import escape
@@ -333,7 +333,8 @@ class Message(models.Model):
             recipient_id      = self.recipient.id,
             subject           = self.subject,
             timestamp         = datetime_to_timestamp(self.pub_date),
-            gravatar_hash     = gravatar_hash(self.sender.email),
+            gravatar_hash     = gravatar_hash(self.sender.email), # Deprecated June 2013
+            avatar_url        = avatar_url(self.sender),
             client            = self.sending_client.name)
 
         if self.last_edit_time != None:
diff --git a/zephyr/static/templates/message.handlebars b/zephyr/static/templates/message.handlebars
index ec9bf1b5fb..fa1c6e99d9 100644
--- a/zephyr/static/templates/message.handlebars
+++ b/zephyr/static/templates/message.handlebars
@@ -59,7 +59,7 @@
         {{#include_sender}}
         <span class="message_sender actions_hover">
             <div class="inline_profile_picture"
-                 style="background-image: url('https://secure.gravatar.com/avatar/{{gravatar_hash}}?d=identicon&s=30?stamp={{stamp}}');"/>
+                 style="background-image: url('{{avatar_url}}&s=30&stamp={{stamp}}');"/>
             <span class="sender_name">{{sender_full_name}}</span>
         </span>
         {{/include_sender}}
diff --git a/zephyr/tests.py b/zephyr/tests.py
index 3dc44bfbc1..6a87d2c713 100644
--- a/zephyr/tests.py
+++ b/zephyr/tests.py
@@ -1046,9 +1046,11 @@ class GetOldMessagesTest(AuthedTestCase):
         self.assertIsInstance(result["messages"], list)
         for message in result["messages"]:
             for field in ("content", "content_type", "display_recipient",
-                          "gravatar_hash", "recipient_id", "sender_full_name",
+                          "avatar_url", "recipient_id", "sender_full_name",
                           "sender_short_name", "timestamp"):
                 self.assertIn(field, message)
+            # TODO: deprecate soon in favor of avatar_url
+            self.assertIn('gravatar_hash', message)
 
     def test_successful_get_old_messages(self):
         """
diff --git a/zephyr/views.py b/zephyr/views.py
index 50d5a07693..9868e85546 100644
--- a/zephyr/views.py
+++ b/zephyr/views.py
@@ -46,7 +46,7 @@ from zephyr.decorator import require_post, \
     JsonableError, RequestVariableMissingError, get_user_profile_by_email, \
     authenticated_rest_api_view, process_as_post, REQ, rate_limit, rate_limit_user
 from zephyr.lib.query import last_n
-from zephyr.lib.avatar import gravatar_hash
+from zephyr.lib.avatar import avatar_url
 from zephyr.lib.response import json_success, json_error, json_response, json_method_not_allowed, \
     render_to_response
 from zephyr.lib.timestamp import datetime_to_timestamp
@@ -580,7 +580,7 @@ def home(request):
     return render_to_response('zephyr/index.html',
                               {'user_profile': user_profile,
                                'page_params' : page_params,
-                               'email_hash'  : gravatar_hash(user_profile.email),
+                               'avatar_url': avatar_url(user_profile),
                                'show_debug':
                                    settings.DEBUG and ('show_debug' in request.GET),
                                'show_invites': show_invites