Slashdot Mirror
Facebook Now Supports PGP To Send You Encrypted Emails
An anonymous reader writes: You can now have Facebook encrypt email it sends to you by adding your PGP key to your profile. The PGP feature is "experimental" and will be rolled out slowly. The announcement reads in part: "...today we are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profile; these keys can be used to 'end-to-end' encrypt notification emails sent from Facebook to your preferred email accounts. People may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications."
Apparently you can make the pubkey public so that others can download it too. That makes Facebook another easy way to distribute a pubkey.
Your point? You only give them your public key - the whole point of which is that it's public. That's why we put them on keyservers. Mostly they will use it for the emails they send you... which they already know the contents of. They'll also be acting as a key distribution channel which is interesting - reliably distributing public keys is difficult and a social network account could act as a verified way to do this (although I wouldn't want to rely on it without being sure they hadn't switched the key out for another one).
Srsly!
Wonder who will be first to make a "Finger Facebook for my Public Key" joke.
It does serve a purpose in being another means to easily distribute a pubkey, especially to those who might not be familiar enough with pgp/gpg to use keyservers, or prefer not to use them.
After all, we can put our precious pgp pubkeys in our Slashdot profiles as well.
https://slashdot.org/users.pl?...
You can find them at:
a) They'll also be offering key distribution.
b) Yes! 1) It prevents whoever is intercepting my emails (lets assume facebook is feeding info to the NSA here, but it could still keep out the Iranians/cybercriminals etc) knowing that Susie (networks:I hate Ahmadinejad) communicates with me. ie. Communications metadata - a pretty big thing. 2) It moves to towards a model of (increased) privacy by default.This is good because it makes bulk collection much more difficult (even if they can crack the encryption it vastly ups the resources they need), leads to widespread adoption of encryption for "important" stuff too and removes the stigma/guilt by association of encryption usage.
I wish more companies would support this. Even if it's just random status updates and reminders for services I use, I prefer absolutely everything to be encrypted. Fingers crossed that others follow suit.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
When will /. implement a similar mechanism?
It already did, years ago, there's a field for it in:
https://slashdot.org/users.pl?...
You can then find them at:
Right, that's exactly what you want to be doing if you are interested in encrypted communication... Share the list of other people who want communicate with you via encryption. That way the most intentionally invasive service in the world can build a giant graph of everyone who communicates via encryption. Then the NSA will know who to focus their efforts on just by who has had the most people download their public key or who is at the center of the largest clusters of connectivity.
This could possibly be countered by having everyone download lots of random people's keys. But only if FB doesn't require you to be "friends" before you can exchange keys.
The best way to counter it is to let all the sheeple use it, to give the NSA something to play with, while the astute "encryptionistas" ignore it.
I see the frist step not in encryption, but in verifiation in that the sender is who he claims he is.
If this helps to have more people use it that way, I am all for it.
e.g. I have a dedicated email adress for e.g. my bank bank.com@example.com. That way I can already filter out those who pretend to be my bank. It would be better if they used a PGP signature so I can verify if it really IS the bank sending me something (Or any other company) or if it just qn elite hqxor who changed the from adress.
To me email encryption is not the main factor, signing of emails/messages is.
Don't fight for your country, if your country does not fight for you.
I don't use the gmail web client. I have the a GPG plugin (GPGMail) on my laptop's email and a GPG client (oPenGP) on my iPhone.
There are GPG plugins for the web client but I have not used them.
Trolling is a art,
Download the message using their IMAP servers. I use GMail, but very rarely to I actually log into the web UI anymore. All messages are either read on my phone or read on my computer with an actual email client. You avoid the ads, and you can read encrypted email. Not that I've ever bothered with encryption.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I wish more companies would support this. Even if it's just random status updates and reminders for services I use, I prefer absolutely everything to be encrypted.
In principle I agree with you. Unfortunately precisely none of the people I interact with on a daily basis have even the slightest interest in bothering with encrypting their communications. Worse, only a handful of them have the technical chops to do it properly. The rest wouldn't even begin to comprehend the need to jump through all the extra hoops. If they need to tell me something privately they simply do it in person where no one can listen. Using a tool like PGP securely is NOT simple and this will ensure it is never used except by a handful of crypto-geeks.
There currently is absolutely no way I am aware of to make public key encryption simultaneously simple AND secure. You can have one or the other but not both. It fails the "explain it to your grandmother test" badly. Until some clever soul can find a way to make it nearly transparent to use and still secure, end-to-end encryption will remain a play toy for paranoid geeks and the occasional clever n'er-do-well.
Fail. "You" is dative, not a typo for genitive "your".
Slashdot still doesn't offer https support.
This is very interesting, but unfortunately the parent poster is correct. Tying a public key to your social media account is a good way to prove ownership without having to trust these notoriously dubious certification authorities. However, Facebook is an American company and that makes it trivial for their government agencies to infiltrate it to fake a false trust and man in the middle communications (ie. pretend to be you to the other end). Them encrypting the traffic they send you is nice but also irrelevant from that perspective as the unencrypted traffic could just be subpoenaed.
It would be extremely interesting if someone else from a more trustworthy country were to do this!
If it ain't broke, don't fix it.
Seems like a better technology to me, since you can encrypt entire MIME parts (including attachments and (some) headers) rather than just body text.
Why do you think PGP can't do that, because it can. That's what PGP/MIME is for.
I think it was on a story about Facebook's .onion site, someone made a comment that also applies here:
"That's like putting a condom over the car you drive to the whorehouse."
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm wondering how they encode the messages, do they use PGP Inline or PGP/MIME? Has anybody tried it and can comment on that?
I'm using it. They use PGP/MIME.
That's not how it works. Facebook isn't letting you use PGP to encrypt user-to-user messages.
They're letting you upload your *public* key to your profile with the option to have Facebook encrypt any automated notification messages it sends to your email. This way those notification messages are protected from snooping as they traverse the internet between Facebook and your email server, while they are stored on the mail server, etc.
Facebook is not doing encrypted messaging between users. Did you RTFA at all?
All they are doing is:
1. Letting users upload their public key to their profile
2. Encrypting Facebook notifications sent to those users
3. Serving as another means of distributing public keys, since other users can download your pubkey from your profile. Which they can use in the e-mail client of choice
That's it.
Tying a public key to your social media account is a good way to prove ownership without having to trust these notoriously dubious certification authorities.
You still have to trust DigiCert, the CA that signed the facebook.com certificate. That's on top of trusting Facebook, as you pointed out.