Facebook Now Supports PGP To Send You Encrypted Emails 138
An anonymous reader writes: You can now have Facebook encrypt email it sends to you by adding your PGP key to your profile. The PGP feature is "experimental" and will be rolled out slowly. The announcement reads in part: "...today we are gradually rolling out an experimental new feature that enables people to add OpenPGP public keys to their profile; these keys can be used to 'end-to-end' encrypt notification emails sent from Facebook to your preferred email accounts. People may also choose to share OpenPGP keys from their profile, with or without enabling encrypted notifications."
The Onion (Score:2)
Ahhh good another article from The Onion. Wait.... Seriously?
Re: (Score:2)
Ahhh good another article from The Onion. Wait.... Seriously?
Yes seriously [facebookcorewwwi.onion]!
Re:The Onion (Score:4, Insightful)
Srsly!
Wonder who will be first to make a "Finger Facebook for my Public Key" joke.
It does serve a purpose in being another means to easily distribute a pubkey, especially to those who might not be familiar enough with pgp/gpg to use keyservers, or prefer not to use them.
After all, we can put our precious pgp pubkeys in our Slashdot profiles as well.
https://slashdot.org/users.pl?... [slashdot.org]
You can find them at:
No kidding (Score:2)
It took mine. (Score:2)
>In fact I may enable a bunch more useless notifications and set up a rule to delete them at my end as they arrive.
Re: (Score:2)
If you're using gmail, and you receive an encrypted email, how do you read it without Google seeing the decrypted message?
Re: (Score:3)
There are GPG plugins for the web client but I have not used them.
Re: (Score:2)
It is commercial, but I've been using PGP Desktop (now Symantec Encryption Desktop) going on decades, and it is available for Windows and Macs. Main reason is that it is easy to copy some stuff, hit a key, instantly sign/encrypt/decrypt/validate it, then read or paste it. PGP Desktop also supports smart cards, which are the way to go when it comes to protecting one's private key (malware can only force the smart card to sign/decrypt, and not slurp the key up.)
It offers plugins for Outlook. For Thunderbir
Re: (Score:2)
I'm running Linux so ordinary GPG with Claws-Mail (which has included gpg and s/mime plugins)
Main reason is that it is easy to copy some stuff, hit a key, instantly sign/encrypt/decrypt/validate it, then read or paste it.
GPA/KGPG/Kleopatra also have similar features.
Re:It took mine. (Score:4, Informative)
Download the message using their IMAP servers. I use GMail, but very rarely to I actually log into the web UI anymore. All messages are either read on my phone or read on my computer with an actual email client. You avoid the ads, and you can read encrypted email. Not that I've ever bothered with encryption.
Re: (Score:2)
Copy and paste the text into your decoder?
Share your "encryption network" with Suckerberg! (Score:4, Insightful)
Right, that's exactly what you want to be doing if you are interested in encrypted communication... Share the list of other people who want communicate with you via encryption. That way the most intentionally invasive service in the world can build a giant graph of everyone who communicates via encryption. Then the NSA will know who to focus their efforts on just by who has had the most people download their public key or who is at the center of the largest clusters of connectivity.
This could possibly be countered by having everyone download lots of random people's keys. But only if FB doesn't require you to be "friends" before you can exchange keys.
The best way to counter it is to let all the sheeple use it, to give the NSA something to play with, while the astute "encryptionistas" ignore it.
Re: (Score:2)
Share the list of other people who want communicate with you via encryption.
If only you had read the summary you would realize that isn't the case. It just encrypts the notification emails that Facebooks sends to you. Messages people send you on Facebook are not encrypted, only the notification email telling you that a message has arrived is.
Optionally you can share your public key on your profile, the same as if you pasted it into the "about me" box or whatever Facebook uses. Same as publishing it on your web site or a key server.
If you are wondering why Facebook doesn't encrypt m
Re: Share your "encryption network" with Suckerber (Score:2)
If only you had read between the lines of said summary, based on FB's past behavior. If you share your public key on your profile, I guarantee you that FB WILL keep track of everyone who downloads it.
The safest way to share your public key is to share it ubiquitously on your web page, in your e-mail signature, etcetera. Then no one can find out who is actually using it and who is ignoring it. (OK, other than deep scans of your traffic.)
Re: (Score:2)
The easiest way would be to look at your e-mail and see who is sending you PGP encrypted e-mails.
Re: (Score:2)
Facebook lets you control your public keys as if it were any other information: public, friends only, etc.
Re: (Score:2)
You have an awfully high opinion of yourself, for someone who misses the obvious.
If the NSA wants to know with whom you exchange encrypted email, they can get that information by watching your email. PGP and SMIME don't encrypt SMTP envelope data (metadata).
Any graph that FB builds would hardly be useful. It would be incomplete, because there are many established means of sharing public key data. And beyond that, viewing someone's key isn't a strong indication that you will email them with encryption. I
Re: (Score:2)
Wrong. That sound you just heard was the NSA's head asploding. These guys are *not* fans of end-to-end encryption by the public, or any entity other than themselves. It doesn't matter if they supposedly know who to focus on if they don't have the ability to decrypt the communications (unless they manage endpoint intrusion, but that's a separate problem). They want communications to be either a) unencrypted, or b) encrypted with a backdoor. Nevermind the fact that criminals and black hats would be just
Re: (Score:2)
Maybe you're right. But for me pgp encryption needs marketing so a lot of people start using or at least being aware of it. It needs to become mainstream.
Why not S/MIME? - Seems like a better technology to me, since you can encrypt entire MIME parts (including attachments and (some) headers) rather than just body text.
Re: (Score:3)
Seems like a better technology to me, since you can encrypt entire MIME parts (including attachments and (some) headers) rather than just body text.
Why do you think PGP can't do that, because it can. That's what PGP/MIME is for.
Re: (Score:2)
Maybe you're right. But for me pgp encryption needs marketing so a lot of people start using or at least being aware of it. It needs to become mainstream.
Why not S/MIME? - Seems like a better technology to me, since you can encrypt entire MIME parts (including attachments and (some) headers) rather than just body text.
A PKI is required (or at least strongly encouraged, if users don't want to self-sign keys) for S/MIME. CA-issued keys typically cost money and expire at regular intervals. Outside of corporate environments with managed keyservers, S/MIME is quite uncommon. PGP is hardly common as it is, but it's likely more so than S/MIME.
Facebook can (and does) use PGP/MIME, which has the advantages of S/MIME that you mention while avoiding the downsides.
StartSSL issues free S/MIME certs (Score:2)
CA-issued keys typically cost money
StartSSL issues individual S/MIME certificates without charge.
PGP is hardly common as it is, but it's likely more so than S/MIME.
Perhaps it's uncommon because its proponents have failed to give a clear answer to this question: If someone doesn't regularly fly to key signing parties, how should he get his PGP key signed into the strongly connected subset of the web of trust?
Re: (Score:2)
If someone doesn't regularly fly to key signing parties, how should he get his PGP key signed into the strongly connected subset of the web of trust?
it's a moot point and a distraction. Most users don't focus that much on the WoT.
Re: (Score:2)
Since FB is already into the authenticating business, they would be an ideal CA for personal S/MIME certificates as well as a CA for people's OpenPGP keys. Having a web of trust is still an important thing, but FB leveraging their identity business would be useful here.
Re: (Score:2)
if users don't want to self-sign keys
Self-signed keys offer the same level of security as PGP, with no additional drawbacks, and don't require additional software.
S/MIME was introduced as an alternative to PGP because all of the software required to implement it was already included in email clients that support SSL connections to servers. Because the implementation is simpler, S/MIME is superior to PGP in pretty much every way.
Re: (Score:2)
S/MIME is better than nothing, but if a CA gets compromised, it is worthless. OpenPGP is a superset of S/MIME, because it can support a real web of trust, not just assuming one key is 100% trustworthy.
I prefer to pack my own parachute, and if one does keysigning parties properly, it ensures that knowing other people's key IDs is as iron-clad as one can get.
Re: Share your "encryption network" with Suckerber (Score:2)
Using JavaScript, FB can tell if someone selects your public key that is posted on your profile. (Yes, IF you choose to post it as well as just let FB use it. However most people are very likely to do so.) Have you ever clicked in a field that said "Search," or whatnot, only to have those words disappear as soon as you clicked there? That is JavaScript doing that. It is just as easy to have said JavaScript save the current user and the page's user and store them in a database. FB can then use this database
Doesn't matter (Score:2)
It doesn't matter if the end-to-end transmission is 100% secure if the information can be compromised at the server via selling-out or hacking.
Never assume your data is safe unless it's on an off-line computer or device in your possession.
Re: (Score:2)
Never assume your data is safe unless it's on an off-line computer or device in your possession.
And then never look at it, ever, because someone might have implanted a tiny camera in your eye (don't assume they haven't!). In fact, better just delete all your data now and save yourself the trouble.
Hacked by ad network (Score:2)
The only way to get a decrypted copy would be to break into his PC
Web advertising networks have been providing the service of breaking into viewers' PCs for years.
You still have to submit it (Score:2)
So how are you securely getting the email message to facebook to start with? I see an SSL connection that could easily have a "man in the middle" thing going on...
Re: (Score:2)
So how are you securely getting the email message to facebook to start with?
You're not. It's for encrypting communications from Facebook to you, not from other Facebookers.
Re: (Score:2)
So how are you securely getting the email message to facebook to start with? I see an SSL connection that could easily have a "man in the middle" thing going on...
Facebook is encrypting automated notification messages (e.g. "[Friend name] posted new photos. Click here to see them." or "[Friend name] sent you a message on Facebook. Login to read it.") that it sends to your email account. Messages sent within Facebook are still unencrypted, only the notification message sent to your non-Facebook email would be encrypted.
Meanwhile (Score:5, Insightful)
Slashdot still doesn't offer https support.
Subscription is broken (Score:2)
Slashdot used to offer HTTPS to subscribers, at a price of half a cent per page view (source: FAQ [slashdot.org]). But the subscription page [slashdot.org] is not only well hidden but also unavailable: "Buying or gifting of a new subscription is not available at the moment." The reason it was for subscribers only was that most advertising networks were HTTP-only, and browsers would block HTTP ads in HTTPS pages as "mixed content". Only in the past couple years did ad networks start to offer HTTPS.
Re: (Score:2)
Slashdot still doesn't offer https support.
Get in line, I'm waiting for UTF-8! ;)
how can we trust facebook? (Score:2)
errr, so i want to send a communication, ok? it's supposed to be private, right? but it's a web service: facebook could, at any time (even under secret fascist subpoena) change or be forced to change (without informing us) the user interface so that the encrypted message is no longer encrypted, but is in fact entirely in cleartext.
you might think, "ok, well, surely we could then just have a messenger service or app which does the job, and we could trust that, right?" and the answer is "well no, absolutely
Re: (Score:3)
That's not how it works. Facebook isn't letting you use PGP to encrypt user-to-user messages.
They're letting you upload your *public* key to your profile with the option to have Facebook encrypt any automated notification messages it sends to your email. This way those notification messages are protected from snooping as they traverse the internet between Facebook and your email server, while they are stored on the mail server, etc.
Re: (Score:2)
that's... amazing! i'm very impressed.
Re: (Score:3)
Facebook is not doing encrypted messaging between users. Did you RTFA at all?
All they are doing is:
1. Letting users upload their public key to their profile
2. Encrypting Facebook notifications sent to those users
3. Serving as another means of distributing public keys, since other users can download your pubkey from your profile. Which they can use in the e-mail client of choice
That's it.
Re: (Score:2)
Facebook is not doing encrypted messaging between users. Did you RTFA at all?
i did indeed... but it obviously wasn't clear enough. i believe that would come from the subject line saying "facebook is sending encrypted emails", rather than the subject saying "facebook allowing you to receive GPG-signed administrative notifications by email".
To borrow another user's analogy... (Score:3)
I think it was on a story about Facebook's .onion site, someone made a comment that also applies here:
"That's like putting a condom over the car you drive to the whorehouse."
20 years too late (Score:2)
PGP was created and promoted 20 frickin' years ago and mainstream websites are just now noticing? LMFAO.
Don't forget to get Facebook's own public key (Score:2)
KEYID: DEE958CF
Fingerprint: 31A7 0953 D8D5 90BA 1FAB 3776 2F38 98CE DEE9 58CF
The link Facebook gives is for a web proxy to the pgp.mit.edu keyserver, which tends to not be all that reliable when accessed directly and may be Slashdotted. So you might want to try doing this instead, on Linux anyway:
gpg --recv-keys DEE958CF
or if you have pgp-tools installed:
keylookup DEE958CF
or: with Seahorse it's Remote>Find Remote Keys
In GPA (Gnu Privacy Assistant) it's Server>Retrieve keys
Or with Kleopatra (the d
Re: (Score:2)
Your post explains, precisely, why the Gentle User cannot have nice things like PGP.
Re: (Score:2)
How so? I gave multiple methods, both command line and GUI for Linux and GUI for windows since I don't know what people have installed. I tried to cover the most common ways. People can just stick with the GUI if they want.
I gave the KEYID and Fingerprint (also listed on the Facebook page) so people could get (and double check) that it's the right pubkey.
I could have just said:
"Open up your PGP/GPG GUI and search the keyservers for the Facebook, Inc pubkey."
But I was being more descriptive and thorough.
Re: (Score:2)
I apologize for being unclear.
I wasn't criticizing you.
I was criticizing PGP.
I asked my wife to look at a part of your response to me:
I gave multiple methods, both command line and GUI for Linux and GUI for windows since I don't know what people have installed. I tried to cover the most common ways. People can just stick with the GUI if they want.
She was all like, "Wait, what?"
You and I grok PGP, but she certainly doesn't, and she needs protection more than you or I do.
Re: (Score:2)
Thanks for the clarification. I must admit that I didn't start using gpg myself until 2007 because it seemed "intimidatingly complicated".
I'm not sure e-mail encryption can ever be "one button easy", since you have to create keys, edit and manage keys both public and secret, revoke keys, receive pubkeys, upload pubkeys, etc etc.
That said, the GUI's aren't that hard to use.....but.... it is a bit "fiddly" and sometimes the explanations make it seem more complex than it is. I rather like the gpg4win PDF d
Dear Mr. Zuckerberg... (Score:2)
We don't want you as our internet service provider. KTHXBYE.
Re: (Score:3)
Apparently you can make the pubkey public so that others can download it too. That makes Facebook another easy way to distribute a pubkey.
Re:What use? (Score:5, Interesting)
Re: (Score:3)
I wish more companies would support this. Even if it's just random status updates and reminders for services I use, I prefer absolutely everything to be encrypted. Fingers crossed that others follow suit.
Too hard to use (unfortunately) (Score:5, Interesting)
I wish more companies would support this. Even if it's just random status updates and reminders for services I use, I prefer absolutely everything to be encrypted.
In principle I agree with you. Unfortunately precisely none of the people I interact with on a daily basis have even the slightest interest in bothering with encrypting their communications. Worse, only a handful of them have the technical chops to do it properly. The rest wouldn't even begin to comprehend the need to jump through all the extra hoops. If they need to tell me something privately they simply do it in person where no one can listen. Using a tool like PGP securely is NOT simple and this will ensure it is never used except by a handful of crypto-geeks.
There currently is absolutely no way I am aware of to make public key encryption simultaneously simple AND secure. You can have one or the other but not both. It fails the "explain it to your grandmother test" badly. Until some clever soul can find a way to make it nearly transparent to use and still secure, end-to-end encryption will remain a play toy for paranoid geeks and the occasional clever n'er-do-well.
Re: (Score:2)
For most people, there are not many easy to use tools to use PGP/gpg encryption. The easiest I've found is Symantec's Encryption Desktop (formerly PGP Desktop), and enigmail is decent, but in general, getting people to not just make a key, but have a usable web of trust that they can use with friends.
Even with the technical issue solved, similar to how encryption via S/MIME is just a matter of clicking a button in Outlook, it is a tough thing to get people to bother with encryption.
Maybe it is just me, but
Re: (Score:2)
One advantage would be that right now only high value information is encrypted, so the opposing entities can assume that anything encrypted is high value info. Encryption works because it keeps the cost of decrypting higher than the value of the information, if all of the crap flying was encrypted then the cost of getting the high value info would skyrocket so my sales presentation would be more secure from industrial spies because "Mary found a lost lamb on her farm" notices are encrypted too.
Re: (Score:2)
I doubt the problem is solvable (Score:2)
In the meantime focus on the tools and the generally (after 20 years time) still ridiculous state-of-affairs in terms of usability.
I'm not optimistic that the problem is solvable. I honestly do not see any way to make encryption both easy to use and secure/trustworthy. Any solution that makes it easy to use necessarily for most people involves trusting a third party that they do not know. Do you REALLY trust the company that wrote/compiled the encryption software you are using? I'm not a coder and even if I was I don't have the time or expertise to review the code. The whole point of encryption is that you don't want to trust thir
Re: (Score:3)
DigiCert (Score:3)
Tying a public key to your social media account is a good way to prove ownership without having to trust these notoriously dubious certification authorities.
You still have to trust DigiCert, the CA that signed the facebook.com certificate. That's on top of trusting Facebook, as you pointed out.
Re: (Score:2)
It's a public key. It does nothing to prove ownership. I could easily download any public key from a keyserver and add it to my account.
Re: (Score:2)
I could easily download any public key from a keyserver and add it to my account.
You "could", but it wouldn't match the contact info Facebook has for you:
"Hey, this public key is for malda@slashdot.org, not robert.thille@thille.org"
Neither would it do you any good since Facebook would then encrypt e-mail to that pubkey, which you don't have the private key for.
You also could not send an e-mail that could be verified by that public key.
Re: (Score:2)
In addition Facebook sends you an encrypted e-mail to confirm the sending of encrypted notifications. If you don't click a link in that e-mail, thus proving you can decrypt the messages they encrypt to that key, they won't encrypt.
Re: (Score:2)
Yes... if you send your emails to people through a Facebook client, instead of downloading the key and sending encrypted mails via your own email client.
Aside from actually doing something stupid like sending emails from FB (where you'd have to trust them anyway to not store your unencrypted text before they encrypted it for you), there is actually no issue with Facebook or the United States doing this.
FB hosting your public key has zero effect on anything. You are supposed to distribute your public key wi
Re: (Score:2)
FB hosting your public key has zero effect on anything. You are supposed to distribute your public key widely. The actual problem with public keys is ensuring that your public key is actually your public key for the purposes of not sending an email that someone else can read.
Well... exactly. So if all that is happening here is that facebook is another public key server than this is a really a non-story. The interesting prospect of this is that facebook, by it's nature, has the ability to verify your identity. So, instead of the user dealing with the prompt "Do you want to add key 'such and such' from 'so and so' to your key store?" and then having to either manually verify that (not practical) or blindly trust that it's valid (99.999999999999% of real world use) they could pass
Re: (Score:2)
Re: (Score:2)
What if they show you your public key, but they show others their public key they created to proxy for you, And suggest they mail you at the @facebook.com email address they rolled out years ago?
Yeah, they'd get caught in a heartbeat, and it'd never work in practice, but for the paranoid it might be a worry...
Re: (Score:2)
If that would never work without them getting caught immediately, what is the point of saying this is a potential problem? Are you one of the paranoid who this would be a concern for? Or are you just spreading FUD?
Re: (Score:2)
No, I was just trying to put myself in the head of the wack-a-doodles who think that FB & Google are out to get them in particular, rather than to just make billions of $$$s.
Re: (Score:2)
What is the problem you are eluding to?
Re: (Score:2)
Can I have your private key?
(Pretty sure you meant 'public key' there.)
Re: (Score:2)
Derp.
Re: (Score:2)
Do you not know how PGP/GPG works? A key has two parts, a private key that you keep, and a public key which you can distribute how you want. You want EVERYONE to have your public key. That is what lets others encyrpt communications to you. It also lets others "verify" messages "signed" by you.
That's it.
So you don't have to trust (Score:2)
My point is that Facebook should not be trusted with anything related to encryption.
I think the entire point of (properly done) encryption is that you don't have to trust Facebook. At all. And frankly based on their behavior and that of certain three letter agencies you really shouldn't trust them. I certainly don't but my answer to that is to not use Facebook.
The problem with good encryption is really more in the usability of it than the technology. The technological problems are well understood. The problem is that no one has come up with a way to make encryption both easy to use an
Comment removed (Score:5, Insightful)
Re: (Score:2)
Well, you shouldn't give them the private key, obviously.
Re: (Score:2)
It makes stealing your account a lot more difficult. If someone p0wns your email, they can no longer use FB's "reset my password" tool to compromise your FB account. The password reset mail (or the change of email confirmation) will be encrypted.
Re: (Score:3)
a) They'll also be offering key distribution.
b) Yes! 1) It prevents whoever is intercepting my emails (lets assume facebook is feeding info to the NSA here, but it could still keep out the Iranians/cybercriminals etc) knowing that Susie (networks:I hate Ahmadinejad) communicates with me. ie. Communications metadata - a pretty big thing [zdnet.com]. 2) It moves to towards a model of (increased) privacy by default.This is good because it makes bulk collection much more difficult (even if they can crack the encryption it
Re: (Score:2)
It's worst than that.
What stop FB from making a client that encrypts local but sends the private key to the NSA?
Susie might not like Iran's PM but what if she hate the next POTUS? What if she wants to protest a future POTUS' plans to start a war? Susie's not going to be able to exercise her rights.
Re: (Score:2)
Is there a way I'm not aware of to derive a private key from a public key? If I only ever give facebook my public key how the hell would they ever get my private key? Are you saying facebook hacks my home desktops to steal private keys?
Re: (Score:2)
Is there a way I'm not aware of to derive a private key from a public key? If I only ever give facebook my public key how the hell would they ever get my private key? Are you saying facebook hacks my home desktops to steal private keys?
If you read what denis-The-menace wrote, you'll see Facebook could ask users to give their private key to their (presumably closed-source) client, which could do anything with it. Responding with suspecting them of having some method of deriving the private key, or that uneducated users would really only give Facebook public keys, or Facebook hacking desktops does not address denis-The-menace's actual concern: public-key cryptography is very easy to exploit when the user-base is uneducated in its use, and F
Re: (Score:2)
Re: (Score:2)
I'm confused here, so going to try to untangle a few things:
1: From the TFA, FB will take a copy of your public key, and use it to optionally send its messages PGP/gpg signed or signed and encrypted.
2: It will allow others to fetch a copy of your PGP/gpg key.
I don't see where it does any encryption/decryption with one's private key. That is still handled by a plugin in the user's MUA or manual copy/paste into a PGP/gpg application.
The only thing FB can do is replace Alice's key with Charlie's and try to
Use a different client for key generation/storage (Score:2)
What stop FB from making a client that encrypts local but sends the private key to the NSA?
Nothing but you can use a different client. The key doesn't care what client you created it in. Frankly I have no idea why anyone would regard FB as a trusted party. FB should never ever see the private key. If they do then you may as well presume your encryption is broken.
Re: (Score:2)
Uh, if Facebook is doing the encryption that means they have the unencrypted plaintext.
Uh, if my friend Bob is doing the encryption that means he has the unencrypted plaintext. Oh noes.
How does Facebook encrypting the message on the last leg of its journey to you prevent the NSA from intercepting the plaintext anywhere else along the chain, including having access to Facebook's servers?
Because that "last leg" involves leaving Facebook's private servers and traversing the internet to get to your ISP/mail provider, where plenty of people other than the NSA (who may or not have unfettered access to Facebook's servers) will be interested in the contents of your email (including your ISP/mail provider)
Might as well dismiss improved plane safety because it doesn't stop you getting in car crash on y
Re: (Score:2)
Uh, if Facebook is doing the encryption that means they have the unencrypted plaintext. How does Facebook encrypting the message on the last leg of its journey to you prevent the NSA from intercepting the plaintext anywhere else along the chain, including having access to Facebook's servers?
Encryption that isn't performed on your machine isn't useful encryption.
Not all adversaries have access (either through legal methods like subpoenas, or otherwise) to Facebook. As an example, a non-US government might be snooping on network connections or foreign mail servers, or they might subpoena those services to gain information on a user. Network providers might monitor user traffic for advertising or other purposes. Email services like Gmail can scan a user's messages to build up a profile or get information on a user.
Accessing Facebook over HTTPS provides protection fro
Re: (Score:2)
b) It's worth encrypting everything. This protects your data not only from the spooks, but from gmail/live/your ISP/whatever free client you may use.
Re: (Score:2)
I even avoided having my mug in paper yearbooks. I'm not about to put my face on the internet next to my name so someone I flipped the bird to for snapping my picture can search for my face to find me to exact revenge.
I guess facebook is doing this because it doesn't do email. ( haven't seen too many @facebook.com email addresses around.)
I don't think I mind because maybe this will get enough people using encryption that it becomes worth using. But damn, I don't want to touch Facebook - icky sticky...e
Re: (Score:2)
I guess facebook is doing this because it doesn't do email. ( haven't seen too many @facebook.com email addresses around.)
Facebook used to do e-mail, every user had a @facebook.com e-mail address, but shut that down last year.
http://yro.slashdot.org/story/... [slashdot.org]
Re: (Score:2)
Is it worth encrypting:
a) You just asked to change your primary email to kiddie@yougotpwned.com. Click this link to confirm.
b) You just asked to reset your password. Click this link to confirm.
?
Re: (Score:2)
If somebody spent a 1,000hrs of CPU time and finds out that "Susie replied to your comment on Facebook! Click here to login and see.", how likely are they to keep crunching away until they find the good stuff?
Re:A small step in the right direction (Score:4, Informative)
When will /. implement a similar mechanism?
It already did, years ago, there's a field for it in:
https://slashdot.org/users.pl?... [slashdot.org]
You can then find them at:
Too difficult for the value to most people (Score:2)
First it raises awareness about PGP which might cause more people to use PGP to encrypt and sign their emails.
No it won't. The only people that will do it are crypto-geeks. It will not result in widespread adoption. Most people A) don't give a shit, B) don't understand public key encryption, C) can't be bothered even if they do understand it, and D) the people they communicate with think A, B and C as well. The value of it is not commensurate with the difficulty of using it to most people most of the time.
Re: (Score:2, Insightful)
Fail. "You" is dative, not a typo for genitive "your".
Re: (Score:3)
I'm wondering how they encode the messages, do they use PGP Inline or PGP/MIME? Has anybody tried it and can comment on that?
I'm using it. They use PGP/MIME.
Re: (Score:2)
"gpg --export -a", exports ALL the public keys you have into one file, not just your own. You need to give gpg the ID/name/e-mail associated with the key you want to export.
It worked just fine for me, though might try feeding the output into xclip as follows:
gpg --export -a KEYID | xclip -i
Re: (Score:2)
According to Facebook's page on gpg:
"Facebook notifications are encrypted with a version of GPG that supports encryption with the RSA or ElGamal algorithms"
Could that be the reason? Is your pubkey DSA?
They don't mention any bit depth limit, people have tested 4096 keys with it and it's working.
Re: (Score:2)
This doesn't prove who sent the message. A message must be encrypted with the receiver's public key and encrypted again with the sender's private key. Once again, all security depends on the integrity of the public-key server. Such servers can't prevent man-in-the-middle attacks.
In addition to encrypting messages to your public key, Facebook also digitally signs the messages using their private key and rotates the signing subkey every few months.
The fingerprint of their primary key (which is used to sign the signing subkeys) is available on their HTTPS-secured announcement page [facebook.com].
Additionally, all outgoing emails from Facebook are DKIM-signed, adding further assurance that it's from them.
Sure, it's *possible* that an HTTPS connection may be MITMed and DKIM records spoofed, but that r
Re: (Score:2)
This. It's the Dilbert effect, and sadly, happens.
Re: (Score:2)
Symantec Encryption Desktop does exactly this. Sits in the systray, click on it, and it can encrypt/decrypt the clipboard contents, files, and other stuff.
There used to be a few other products in Windows that can do this, but almost all projects except for GPG4Win have died off.
Re: (Score:2)
They'd still have to drug me and hit me with a $5 wrench to get the passphrase to that private key.
Obligatory OTHER encryption related XKCD:
http://xkcd.com/538/ [xkcd.com]