Facebook recently announced it is adopting OpenPGP encryption for its messaging services and will also allow users to post their public keys on their Facebook profiles. How will these developments improve Facebook security? Should other services and messaging apps do the same?
The Snowden revelations have increased everyone's concerns about online privacy, and several large Internet companies are starting to augment the security controls that keep their users' online data and communications safe from snooping. For example, most popular websites now use digital certificates to enable users to view their pages over HTTPS, which encrypts traffic between the server and browser. This security control is used by Facebook, which also makes use of the HTTP Strict Transport Security mechanism, which instructs browsers to only connect to Facebook using HTTPS. For those users who want additional privacy, Facebook offers a Tor onion site. (Note that this link will only work in Tor-enabled browsers.)
There are some gaps in Facebook's deployment of encryption, however; for example, Facebook Messenger doesn't provide end-to-end encryption at the moment, and although the company uses TLS to secure its connections to users' email providers, the messages it sends to their personal email addresses are in cleartext. This means that although a message is encrypted as it travels from Facebook's servers to a user's mail server, it can be read by anyone with access to the account once it has been delivered, such as their ISP. Facebook sends users various email alerts for account notifications -- such as a password reset -- which contain sensitive information that needs to be better protected.
End-to-end encryption is difficult for the nontechnically minded person to understand and use, as it typically requires a manual process of exchanging public keys between the sender and receiver whenever they send an email or any other type of message. This has held up the widespread adoption of email encryption.
Nevertheless, Facebook announced it intends to support end-to-end email encryption by allowing users to upload their OpenPGP public keys to their profile. This will allow anyone, including Facebook, to send the user encrypted emails using PGP-based encryption. If the user's email account is ever hacked or messages are intercepted in transit, Facebook notifications and emails that were encrypted with the user's public key will remain unreadable. Facebook will also sign outbound messages to users who opt in to receive encrypted notifications using its own OpenPGP key to provide assurance that the email is actually from Facebook.
OpenPGP is an open source end-to-end encryption standard that's been around for nearly 20 years. Although it uses digital certificates, it doesn't rely on a hierarchy of certificate authorities to authenticate public key information. Instead, certificates are signed by other users to endorse the association of that public key with the person or entity listed in the certificate. This decentralized trust model is called a Web of trust. Facebook has chosen to use GNU Privacy Guard (GPG), a widely used and free implementation of the OpenPGP encryption standard. The software needed to generate and manage a pair of PGP keys along with how-to guides that can be downloaded from the GPG site.
At the moment, Facebook's new OpenPGP encryption feature only works on desktops and doesn't yet support mobile devices, but by promoting its use, Facebook could help increase the use of encryption to protect the content of emails across a range of online services. Encryption works best if it's ubiquitous and automatic; it also means an agency can't distinguish a simple conversation from a highly sensitive discussion.
Facebook is not alone in adding further encryption into its services and apps. For example, Yahoo and Google's end-to-end email encryption extensions are also based on OpenPGP encryption, while Open Whisper Systems, Silent Circle and Apple's iMessage all offer end-to-end encryption. Governments are concerned that strong encryption restricts their ability to counter the threat of terrorism, while others see it as a privacy-preserving technology. That's a debate for another time, but you should certainly expect to see more vendors incorporating encryption into their services and messaging apps.
Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)
Explore the strengths and weaknesses of PKI and PGP systems
Learn about the top instant messaging risks and how to maintain messaging security
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading