Users can now add OpenPGP public keys to their Facebook profile but do not lose your private key
Facebook is letting users to enable and use the encrypted standard OpenPGP to protect e-mail notifications sent by the company, and to share their public encryption keys with their friends or with the public. This allows the users to keep their private and sensitive messages out of the reach of hackers and other snoopers.
The company said that “We are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profile; these keys can be used to ‘end-to-end’ encrypt notification emails sent from Facebook to your preferred email accounts. People may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications.”
In order to avoid countless spams or alerts, many of the users turn off their email notifications from Facebook. However, it would be a good idea to have your data encrypted when you are requesting for a new password.
One can upload their public key by going to profile’s contact info settings. Your public key can be used to encrypt notifications and other alerts sent to you from Facebook. On receipt of the messages, one can decrypt them using their corresponding private key.
Nobody except the user should have a copy of the private key. One cannot upload a private key instead of a public key, as it is blocked by Facebook.
However, there is a flipside of enabling encrypted messages from Facebook. In the event, you opt to receive encrypted messages from Facebook and end up losing your private key, you won’t be able to decrypt the emails. In other words, you may end up losing hold over your account if you request for a password reset and the will not be able to decrypt the email containing the password-reset link. Repeated warnings regarding the same is provided by Facebook.
A test was conducted by The Register to check out the new service. For that, a public-private key pair was created, by designing a 4,096-bit RSA pair with a one-year expiry using gpg –gen-key. Then gpg –export -a and the key ID was run to export the key, and later cut n pasted into the form. Decrypting the message from Facebook was as simple as gpg –output facebook.txt –decrypt encrypted.asc. The file encrypted.asc was attached to the received email as reported by The Register.
Facebook has taken the GNU Privacy Guard (GPG) implementation of OpenGPGP, and making use of the long term primary key 31A7 0953 D8D5 90BA 1FAB 3776 2F38 98CE DEE9 58CF along with a short term subkey D8B1 153C 9BE9 C7FD B62F 7861 DBF4 E8A2 96FD E3D7 to digitally sign its messages – that allows peeps to verify an email has come from the California web giant. Operational keys will be rotated occasionally for security purposes says the company.
Choosing of GPG is no accident for Facebook. In February, Werner Koch, GPG creator was promised an amount of $50,000 a year by Facebook after the German developer said he was falling short of funds to keep the project going. According to Facebook, its implementation will support the ElGamal or RSA algorithms. It is also researching GPG’s newer elliptic curve algorithms.
The move by Facebook’s to introduce encryption is likely to catch more people’s attention. Further, also the addition of GPG might make a few users think more seriously about security.
Facebook, as a part of its move, will enable users to upload their own public keys to their profiles and publish them in public. This would provide a reliable way for the users to share public keys so that they can be more assured of their authenticity. By attaching a public key next to a public Facebook profile will make the key more trustworthy, with the assumption that no compromise has been made on the account.
In other words, the PGP public key support is a welcome move in the right direction, even if one doesn’t opt for encrypted notifications.
Geoffrey King, Internet Advocacy Coordinator for the Committee to Protect Journalists said that “Security tools like PGP encryption are most effective when they are used widely. Facebook has taken an important step to help protect users’ private communications by default, and make the risky environment in which journalists work a little bit safer.”