In an interesting move, Facebook announced yesterday that they want to enhance their security for users with OpenPGP . They mentioned they use HTTPS with HSTS, and for the uber-private among us, even their own Tor Onion site. Now they want to let users add public cryptographic keys to their profiles.
OpenPGP, which was originally just PGP was created twenty-five years ago to encrypted emails. For more information, the Electronic Frontier Foundation has an introduction, along with install guides for Windows, Mac OS X and Linux.
Facebook already secures connections to email providers through TLS. TLS, which stands for Transport Layer Security, is meant to be an upgrade to SSL, or Secure Sockets Layer. It’s a cryptographic protocol as part of the Internet Protocol Suite (TCP/IP).
Facebook mentions that although they use TLS, the “stored content of those messages may be accessible as plaintext (with attachments) to anyone who accesses your email provider or email account.”
In order to boost the security of this, Facebook plans to roll out a feature (experimental) that let’s people add their OpenPGP public keys to their profiles, which are used to send end-to-end encrypted notification emails sent from Facebook to whichever email account(s) you prefer. People can also share their public key without enabling encrypted notifications.
It’s a bold move that flies in the face of entities like the NSA, and as it turns out key parts of the Patriot Act expired just last night (or today at 12:00 AM). Using a desktop browser, you can add your public key to your profile in the About section.
Once encrypted notifications are enabled, Facebook will sign outbound messages using your public key, so you don’t have to do it manually. Facebook uses a free implementation of OpenPGP called GPG, or GNU Privacy Guard.
In order to do this, Facebook’s OpenPGP key consists of a long term primary key with temporary subways, which lets them constantly rotate their keys used in operation. At the time of this writing, Facebook’s primary key fingerprint is:
31A7 0953 D8D5 90BA 1FAB 3776 2F38 98CE DEE9 58CF
The operational subkey for this is:
D8B1 153C 9BE9 C7FD B62F 7861 DBF4 E8A2 96FD E3D7
As a final note, public key management is not available on mobile devices, but Facebook says they are “investigating ways to enable this.”