Securing Email Communications from Facebook with PGP Key
It's very important to us that the people who use Facebook feel safe and can trust that their connection to Facebook is secure; for instance this is why we run connections to our site over HTTPS with HSTS and why we provide a Tor onion site for people who want to enjoy security guarantees beyond those offered by HTTPS.
However these technologies protect only the direct connections people make to Facebook. People also receive information from us over channels such as email. Whilst Facebook seeks to secure connections to your email provider with TLS, the stored content of those messages may be accessible as plaintext (with attachments) to anyone who accesses your email provider or email account.
To enhance the privacy of this email content, today we are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profile; these keys can be used to "end-to-end" encrypt notification emails sent from Facebook to your preferred email accounts. People may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications.
Where encrypted notifications are enabled, Facebook will sign outbound messages using our own key to provide greater assurance that the contents of inbound emails are genuine.
You will be able to update your own public key, using a desktop browser, at:
https://www.facebook.com/me/about?section=contact-info
Created as PGP nearly 25 years ago by Phil Zimmermann, OpenPGP is one of the most popular available standards for protecting email with public key encryption. If you are unfamiliar with using OpenPGP technology, the Electronic Frontier Foundation offers an introduction:
Using GPG4Win software, you can create your Public and Private PGP keys. Public Key is something that others will need to know before they can send you encrypted mail. However, Private PGP key will be used to decrypt emails you receive, which you need to keep secret from everyone.
The picture is from : https://www.igolder.com/pgp/generate-key/
Source : Facebook Protect the Graph
However these technologies protect only the direct connections people make to Facebook. People also receive information from us over channels such as email. Whilst Facebook seeks to secure connections to your email provider with TLS, the stored content of those messages may be accessible as plaintext (with attachments) to anyone who accesses your email provider or email account.
To enhance the privacy of this email content, today we are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profile; these keys can be used to "end-to-end" encrypt notification emails sent from Facebook to your preferred email accounts. People may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications.
Where encrypted notifications are enabled, Facebook will sign outbound messages using our own key to provide greater assurance that the contents of inbound emails are genuine.
You will be able to update your own public key, using a desktop browser, at:
https://www.facebook.com/me/about?section=contact-info
Technology
Created as PGP nearly 25 years ago by Phil Zimmermann, OpenPGP is one of the most popular available standards for protecting email with public key encryption. If you are unfamiliar with using OpenPGP technology, the Electronic Frontier Foundation offers an introduction:
...with installation guides for:
- Windows: https://ssd.eff.org/en/module/how-use-pgp-windows-pc
- Mac OS X: https://ssd.eff.org/en/module/how-use-pgp-mac-os-x
- Linux: https://ssd.eff.org/en/module/how-use-pgp-linux
For our implementation we have chosen to use GNU Privacy Guard - “GPG” - a widely used and free implementation of the OpenPGP standard. Facebook is a supporter of GPG and we encourage others to support GPG as well.
Key Fingerprints & Roadmap
Facebook's OpenPGP key comprises a long term primary key with short term subkeys; this allows us to frequently rotate our operational keys whilst maintaining the web of trust and a consistent identity over time. As of the time of writing our primary key has the fingerprint:
31A7 0953 D8D5 90BA 1FAB 3776 2F38 98CE DEE9 58CF
…with the following operational subkey fingerprint:
D8B1 153C 9BE9 C7FD B62F 7861 DBF4 E8A2 96FD E3D7
Facebook notifications are encrypted with a version of GPG that supports encryption with the RSA or ElGamal algorithms; we are investigating the addition of support for GPG's newer elliptic curve algorithms in the near future.
Finally: public key management is not yet supported on mobile devices; we are investigating ways to enable this.
Key Fingerprints & Roadmap
Facebook's OpenPGP key comprises a long term primary key with short term subkeys; this allows us to frequently rotate our operational keys whilst maintaining the web of trust and a consistent identity over time. As of the time of writing our primary key has the fingerprint:
31A7 0953 D8D5 90BA 1FAB 3776 2F38 98CE DEE9 58CF
…with the following operational subkey fingerprint:
D8B1 153C 9BE9 C7FD B62F 7861 DBF4 E8A2 96FD E3D7
Facebook notifications are encrypted with a version of GPG that supports encryption with the RSA or ElGamal algorithms; we are investigating the addition of support for GPG's newer elliptic curve algorithms in the near future.
Finally: public key management is not yet supported on mobile devices; we are investigating ways to enable this.
How to use PGP to send encrypted emails?
In case if you want to send and receive encrypted email using PGP, you will first need to install some extra software given below:
- GPG4Win: GNU Privacy Guard for Windows known as GnuPG
- Enigmail
- Mozilla Thunderbird
Using GPG4Win software, you can create your Public and Private PGP keys. Public Key is something that others will need to know before they can send you encrypted mail. However, Private PGP key will be used to decrypt emails you receive, which you need to keep secret from everyone.
Source : Facebook Protect the Graph
No comments
Post a Comment