06-01-2015, 05:18 PM
http://arstechnica.com/security/2015/06/...-security/
Facebook users can now add OpenPGP keys for improved e-mail security
Another step towards more secure online services.
![[Image: facebook-openpgp-page-640x328.png]](http://cdn.arstechnica.net/wp-content/uploads/2015/06/facebook-openpgp-page-640x328.png)
Facebook has announced that its users can add an OpenPGP public key to their profile. This will allow Facebook to encrypt notification e-mails, and for others to use the public keys for encrypted communications. Facebook is "gradually rolling out" this experimental feature, which will be available from your account's Contact and Basic Info page.
Facebook says it has chosen to use GNU Privacy Guard (GPG) for its implementation. Back in February, the company stepped in with a $50,000 donation when the GPG project was struggling to raise funds to secure its future. As far as the detailed implementation is concerned, Facebook's notifications will be encrypted using the RSA or ElGamal algorithms, and the company is "investigating the addition of support for GPG's newer elliptic curve algorithms in the near future." Facebook is also looking at ways of offering public key management on mobile devices, not currently supported.
When encrypted notifications are enabled on an account, Facebook will sign outbound messages using its own private key to provide greater assurance that the contents of inbound e-mails are genuine—one of the chief benefits of the new feature. It means, for example, that users can be sure that password reset messages do indeed come from Facebook rather than someone masquerading as the company.
Although limited in its impact, the move is a step beyond HTTPS by default, which the company rolled out two years ago. Facebook's example may encourage other online services to follow suit, and could also help to raise awareness of the general idea of end-to-end encryption for email.
This post originated on Ars Technica UK
Facebook users can now add OpenPGP keys for improved e-mail security
Another step towards more secure online services.
Facebook has announced that its users can add an OpenPGP public key to their profile. This will allow Facebook to encrypt notification e-mails, and for others to use the public keys for encrypted communications. Facebook is "gradually rolling out" this experimental feature, which will be available from your account's Contact and Basic Info page.
Facebook says it has chosen to use GNU Privacy Guard (GPG) for its implementation. Back in February, the company stepped in with a $50,000 donation when the GPG project was struggling to raise funds to secure its future. As far as the detailed implementation is concerned, Facebook's notifications will be encrypted using the RSA or ElGamal algorithms, and the company is "investigating the addition of support for GPG's newer elliptic curve algorithms in the near future." Facebook is also looking at ways of offering public key management on mobile devices, not currently supported.
When encrypted notifications are enabled on an account, Facebook will sign outbound messages using its own private key to provide greater assurance that the contents of inbound e-mails are genuine—one of the chief benefits of the new feature. It means, for example, that users can be sure that password reset messages do indeed come from Facebook rather than someone masquerading as the company.
Although limited in its impact, the move is a step beyond HTTPS by default, which the company rolled out two years ago. Facebook's example may encourage other online services to follow suit, and could also help to raise awareness of the general idea of end-to-end encryption for email.
This post originated on Ars Technica UK
