SoylentNews is people
SoylentNews
It's the site that Soylentils love to hate, and it is now making end-to-end PGP-encrypted email a little easier:
Facebook announced that its users can now add their PGP public keys to their profiles, which should make discovery of people who use PGP much easier. Emailing them will still depend on using your own PGP client, such as GNU Privacy Guard (GPG) or Whiteout. That also means that there's no way for Facebook to intercept those messages in an unencrypted form.
Facebook will also start encrypting the notifications it sends to users via email. Facebook itself will be able to see these messages because it is the one encrypting them "end to end" (from Facebook to the user). The main purpose of this wouldn't be to protect the notifications from Facebook itself, but to protect users against phishing emails (where sites impersonate Facebook).
Despite still being one of the companies that collects the most data about us, Facebook has taken some positive steps to increase the security and privacy (from other entities) of its users lately. It has enabled HTTPS on its site with HSTS protection, it has provided a Tor onion site[1] for its service for those who want to have anonymous profiles on Facebook, and it has enabled STARTTLS encryption for emails going from its own datacenters to other email companies.
[1] Note that researchers recently used Facebook's hidden service to test an attack on Tor users.
Original Submission
(Score: 4, Interesting) by Bot on Tuesday June 02 2015, @09:09AM
First, you have to know that PGP is not a drug, and this helps.
Then you realize that PGP pubkeys in the hand of a social network gives them too much power, and distribute them in other ways, but at least you know what's it all about.
Account abandoned.
(Score: 2, Insightful) by Anonymous Coward on Tuesday June 02 2015, @09:17AM
I bet you there are more PCP users than PGP users.
(Score: 1, Insightful) by Anonymous Coward on Tuesday June 02 2015, @10:59AM
The real problem is that people use Facebook at all.
(Score: 2) by frojack on Tuesday June 02 2015, @08:08PM
Then you realize that PGP pubkeys in the hand of a social network gives them too much power, and distribute them in other ways, but at least you know what's it all about.
Really?
Pubkeys are meant to be, (oddly enough) PUBLIC, and are published to key servers precisely for that reason.
To their credit Facebook is not involved with the encrypted mail you send:
Emailing them will still depend on using your own PGP client, such as GNU Privacy Guard (GPG) or Whiteout. That also means that there's no way for Facebook to intercept those messages in an unencrypted form.
As best I can see, is Facebook is going to pretend it is a public keyserver, but most likely it will just provide a visible place to let people know you have a public key.
Most mailer software already handle automatic lookup via key-servers (pool or named) the public key of anyone you care to mail to, as soon as you enter the target email address. It will then encrypt or not depending on settings you've made.
But the devil is in the details:
The risky part here is that the details are unclear about how this works. I'm guessing 50% of facebook users have no idea that anything exist outside of facebook. They would not know how to send an email outside of facebook if their life depended on it. So if they key in the message in to any facebook app or web page, they have handed the text over un-encrypted, and they are trusting the app/web to pass it through their on-device PGP utility.
No, you are mistaken. I've always had this sig.
(Score: 2) by Bot on Saturday June 13 2015, @09:52AM
> Pubkeys are meant to be, (oddly enough) PUBLIC.
Of course. But a thing gotten off Facebook (oddly enough) is not PUBLIC. Nothing prevents them to present a fake pubkey to selected users and perform a MITM.
Account abandoned.