Public keys can be shared on the Facebook profile

Jun 1, 2015 13:09 GMT  ·  By

Facebook takes another step towards making communication with its users more secure by deploying an experimental feature that allows the content of the emails from the service to be delivered in a full encrypted state to the destination.

The mechanism employs the open-source OpenPGP encryption standard derived from Phil Zimmermann’s PGP (Pretty Good Privacy) that relies on public key cryptography to secure data transmission.

The principle behind OpenPGP is that content can be encrypted with a public key available to anyone and decrypted only with a corresponding private key, which is accessible only to the owner of the pair. This way, the communication is scrambled at the source and unlocked at the destination.

Email content is also protected at rest

“It's very important to us that the people who use Facebook feel safe and can trust that their connection to Facebook is secure; for instance this is why we run connections to our site over HTTPS with HSTS and why we provide a TOR onion site for people who want to enjoy security guarantees beyond those offered by HTTPS,” Facebook says in a post published today.

Although email exchange is protected in transit, someone with access to a user’s email account or the email provider can still view the delivered content in plain text, an issue solved by the OpenPGP standard.

Facebook started to test the new system on Monday and allows its users to provide a public key in the “About” section of the social network profile. The visibility of the key is subject to the privacy policy of the network and can be viewed by anyone or just select contacts.

There is also an option that requests Facebook to deliver all future notifications by encrypting them with the user’s public key. The exchange does not happen immediately and goes through a verification stage, to check that it is possible to access the content scrambled with the provided public key.

Public key management on mobile not supported yet

According to today’s post, Facebook’s OpenPGP key has a long-term primary key and a set of short-term sub-keys, a model that allows rotating the active keys, preserving at the same time the web of trust and identity over a longer period.

The OpenPGP standard is implemented via GNU Privacy Guard, which includes the ElGamal encryption algorithm. Facebook says that, at the moment, public key management is not supported on mobile devices but it is looking into ways to make it possible.

Public key can be added from the About page of the Facebook profile
Public key can be added from the About page of the Facebook profile

Photo Gallery (2 Images)

Users can choose to receive encrypted messages from Facebook
Public key can be added from the About page of the Facebook profile
Open gallery