Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Facebook Communications Encryption Security Social Networks

Facebook Now Supports PGP To Send You Encrypted Emails 138

An anonymous reader writes: You can now have Facebook encrypt email it sends to you by adding your PGP key to your profile. The PGP feature is "experimental" and will be rolled out slowly. The announcement reads in part: "...today we are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profile; these keys can be used to 'end-to-end' encrypt notification emails sent from Facebook to your preferred email accounts. People may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications."
This discussion has been archived. No new comments can be posted.

Facebook Now Supports PGP To Send You Encrypted Emails

Comments Filter:
  • Ahhh good another article from The Onion. Wait.... Seriously?

  • Just added my keys. Not that I care about the notifications that "Billy scored X on Y Game", but anything that obfuscates and encrypts data on the wire is a good thing. It's not just the NSA, how many of you use gmail? This will keep them from scanning your mail.

    >In fact I may enable a bunch more useless notifications and set up a rule to delete them at my end as they arrive.
    • by pr0nbot ( 313417 )

      If you're using gmail, and you receive an encrypted email, how do you read it without Google seeing the decrypted message?

      • by grub ( 11606 )
        I don't use the gmail web client. I have the a GPG plugin (GPGMail) on my laptop's email and a GPG client (oPenGP) on my iPhone.

        There are GPG plugins for the web client but I have not used them.
        • by mlts ( 1038732 )

          It is commercial, but I've been using PGP Desktop (now Symantec Encryption Desktop) going on decades, and it is available for Windows and Macs. Main reason is that it is easy to copy some stuff, hit a key, instantly sign/encrypt/decrypt/validate it, then read or paste it. PGP Desktop also supports smart cards, which are the way to go when it comes to protecting one's private key (malware can only force the smart card to sign/decrypt, and not slurp the key up.)

          It offers plugins for Outlook. For Thunderbir

          • I'm running Linux so ordinary GPG with Claws-Mail (which has included gpg and s/mime plugins)

            Main reason is that it is easy to copy some stuff, hit a key, instantly sign/encrypt/decrypt/validate it, then read or paste it.

            GPA/KGPG/Kleopatra also have similar features.

      • Re:It took mine. (Score:4, Informative)

        by CastrTroy ( 595695 ) on Tuesday June 02, 2015 @07:51AM (#49821259) Homepage

        Download the message using their IMAP servers. I use GMail, but very rarely to I actually log into the web UI anymore. All messages are either read on my phone or read on my computer with an actual email client. You avoid the ads, and you can read encrypted email. Not that I've ever bothered with encryption.

      • Copy and paste the text into your decoder?

  • by GrantRobertson ( 973370 ) on Tuesday June 02, 2015 @07:40AM (#49821217) Homepage Journal

    Right, that's exactly what you want to be doing if you are interested in encrypted communication... Share the list of other people who want communicate with you via encryption. That way the most intentionally invasive service in the world can build a giant graph of everyone who communicates via encryption. Then the NSA will know who to focus their efforts on just by who has had the most people download their public key or who is at the center of the largest clusters of connectivity.

    This could possibly be countered by having everyone download lots of random people's keys. But only if FB doesn't require you to be "friends" before you can exchange keys.

    The best way to counter it is to let all the sheeple use it, to give the NSA something to play with, while the astute "encryptionistas" ignore it.

    • by AmiMoJo ( 196126 )

      Share the list of other people who want communicate with you via encryption.

      If only you had read the summary you would realize that isn't the case. It just encrypts the notification emails that Facebooks sends to you. Messages people send you on Facebook are not encrypted, only the notification email telling you that a message has arrived is.

      Optionally you can share your public key on your profile, the same as if you pasted it into the "about me" box or whatever Facebook uses. Same as publishing it on your web site or a key server.

      If you are wondering why Facebook doesn't encrypt m

      • If only you had read between the lines of said summary, based on FB's past behavior. If you share your public key on your profile, I guarantee you that FB WILL keep track of everyone who downloads it.

        The safest way to share your public key is to share it ubiquitously on your web page, in your e-mail signature, etcetera. Then no one can find out who is actually using it and who is ignoring it. (OK, other than deep scans of your traffic.)

        • The easiest way would be to look at your e-mail and see who is sending you PGP encrypted e-mails.

    • by grub ( 11606 )
      Anyone who encrypts mail to me does it from their own machines. This is for Facebook mail to you. If a user grabs your keys they can also send you mail directly without going through Facebook.

      Facebook lets you control your public keys as if it were any other information: public, friends only, etc.
    • by MSG ( 12810 )

      You have an awfully high opinion of yourself, for someone who misses the obvious.

      If the NSA wants to know with whom you exchange encrypted email, they can get that information by watching your email. PGP and SMIME don't encrypt SMTP envelope data (metadata).

      Any graph that FB builds would hardly be useful. It would be incomplete, because there are many established means of sharing public key data. And beyond that, viewing someone's key isn't a strong indication that you will email them with encryption. I

    • Wrong. That sound you just heard was the NSA's head asploding. These guys are *not* fans of end-to-end encryption by the public, or any entity other than themselves. It doesn't matter if they supposedly know who to focus on if they don't have the ability to decrypt the communications (unless they manage endpoint intrusion, but that's a separate problem). They want communications to be either a) unencrypted, or b) encrypted with a backdoor. Nevermind the fact that criminals and black hats would be just

  • ...these keys can be used to 'end-to-end' encrypt...

    It doesn't matter if the end-to-end transmission is 100% secure if the information can be compromised at the server via selling-out or hacking.

    Never assume your data is safe unless it's on an off-line computer or device in your possession.

    • Never assume your data is safe unless it's on an off-line computer or device in your possession.

      And then never look at it, ever, because someone might have implanted a tiny camera in your eye (don't assume they haven't!). In fact, better just delete all your data now and save yourself the trouble.

  • So how are you securely getting the email message to facebook to start with? I see an SSL connection that could easily have a "man in the middle" thing going on...

    • So how are you securely getting the email message to facebook to start with?

      You're not. It's for encrypting communications from Facebook to you, not from other Facebookers.

    • by heypete ( 60671 )

      So how are you securely getting the email message to facebook to start with? I see an SSL connection that could easily have a "man in the middle" thing going on...

      Facebook is encrypting automated notification messages (e.g. "[Friend name] posted new photos. Click here to see them." or "[Friend name] sent you a message on Facebook. Login to read it.") that it sends to your email account. Messages sent within Facebook are still unencrypted, only the notification message sent to your non-Facebook email would be encrypted.

  • Meanwhile (Score:5, Insightful)

    by Enry ( 630 ) <enry@NosPAM.wayga.net> on Tuesday June 02, 2015 @08:36AM (#49821575) Journal

    Slashdot still doesn't offer https support.

    • Slashdot used to offer HTTPS to subscribers, at a price of half a cent per page view (source: FAQ [slashdot.org]). But the subscription page [slashdot.org] is not only well hidden but also unavailable: "Buying or gifting of a new subscription is not available at the moment." The reason it was for subscribers only was that most advertising networks were HTTP-only, and browsers would block HTTP ads in HTTPS pages as "mixed content". Only in the past couple years did ad networks start to offer HTTPS.

    • Slashdot still doesn't offer https support.

      Get in line, I'm waiting for UTF-8! ;)

  • errr, so i want to send a communication, ok? it's supposed to be private, right? but it's a web service: facebook could, at any time (even under secret fascist subpoena) change or be forced to change (without informing us) the user interface so that the encrypted message is no longer encrypted, but is in fact entirely in cleartext.

    you might think, "ok, well, surely we could then just have a messenger service or app which does the job, and we could trust that, right?" and the answer is "well no, absolutely

    • by heypete ( 60671 )

      That's not how it works. Facebook isn't letting you use PGP to encrypt user-to-user messages.

      They're letting you upload your *public* key to your profile with the option to have Facebook encrypt any automated notification messages it sends to your email. This way those notification messages are protected from snooping as they traverse the internet between Facebook and your email server, while they are stored on the mail server, etc.

    • Facebook is not doing encrypted messaging between users. Did you RTFA at all?

      All they are doing is:

      1. Letting users upload their public key to their profile
      2. Encrypting Facebook notifications sent to those users
      3. Serving as another means of distributing public keys, since other users can download your pubkey from your profile. Which they can use in the e-mail client of choice

      That's it.

      • by lkcl ( 517947 )

        Facebook is not doing encrypted messaging between users. Did you RTFA at all?

        i did indeed... but it obviously wasn't clear enough. i believe that would come from the subject line saying "facebook is sending encrypted emails", rather than the subject saying "facebook allowing you to receive GPG-signed administrative notifications by email".

  • I think it was on a story about Facebook's .onion site, someone made a comment that also applies here:

    "That's like putting a condom over the car you drive to the whorehouse."

  • PGP was created and promoted 20 frickin' years ago and mainstream websites are just now noticing? LMFAO.

  • KEYID: DEE958CF
    Fingerprint: 31A7 0953 D8D5 90BA 1FAB 3776 2F38 98CE DEE9 58CF

    The link Facebook gives is for a web proxy to the pgp.mit.edu keyserver, which tends to not be all that reliable when accessed directly and may be Slashdotted. So you might want to try doing this instead, on Linux anyway:

    gpg --recv-keys DEE958CF

    or if you have pgp-tools installed:

    keylookup DEE958CF

    or: with Seahorse it's Remote>Find Remote Keys

    In GPA (Gnu Privacy Assistant) it's Server>Retrieve keys

    Or with Kleopatra (the d

    • Your post explains, precisely, why the Gentle User cannot have nice things like PGP.

      • How so? I gave multiple methods, both command line and GUI for Linux and GUI for windows since I don't know what people have installed. I tried to cover the most common ways. People can just stick with the GUI if they want.

        I gave the KEYID and Fingerprint (also listed on the Facebook page) so people could get (and double check) that it's the right pubkey.

        I could have just said:

        "Open up your PGP/GPG GUI and search the keyservers for the Facebook, Inc pubkey."

        But I was being more descriptive and thorough.

        • I apologize for being unclear.

          I wasn't criticizing you.

          I was criticizing PGP.

          I asked my wife to look at a part of your response to me:

          I gave multiple methods, both command line and GUI for Linux and GUI for windows since I don't know what people have installed. I tried to cover the most common ways. People can just stick with the GUI if they want.

          She was all like, "Wait, what?"

          You and I grok PGP, but she certainly doesn't, and she needs protection more than you or I do.

          • Thanks for the clarification. I must admit that I didn't start using gpg myself until 2007 because it seemed "intimidatingly complicated".

            I'm not sure e-mail encryption can ever be "one button easy", since you have to create keys, edit and manage keys both public and secret, revoke keys, receive pubkeys, upload pubkeys, etc etc.

            That said, the GUI's aren't that hard to use.....but.... it is a bit "fiddly" and sometimes the explanations make it seem more complex than it is. I rather like the gpg4win PDF d

  • We don't want you as our internet service provider. KTHXBYE.

Not only is UNIX dead, it's starting to smell really bad. -- Rob Pike

Working...