Facebook positive step to use PGP for sending encrypted notification emails

Facebook users can add PGP keys to their profiles in order to receive “end-to-end” encrypted notification emails sent from Facebook.

On June 1, 2015, Facebook announced a new security feature to enhance the privacy of notification email content. Now, Facebook users are able to add PGP keys to their profiles in order to receive “end-to-end” encrypted notification emails sent from Facebook to their preferred email accounts. Also, this feature allows users to share OpenPGP keys from their profiles, with or without enabling encrypted notifications. Using PGP technology to send emails keeps potentially sensitive messages out of the hands of hackers and other snoopers.

As this feature is enabled, notification emails will be encrypted via the public keys provided by users. These may include account recovery notification emails. Therefore, if users cannot decrypt messages in the future due to loss of keys or other issues and if users also become locked out of Facebook, recovery of Facebook account may not be possible.

PGP stands for Pretty Good Privacy and created by Phil Zimmermann in 1991. This is known as one of the most popular email encryption standards that uses public key cryptography and Facebook has chosen to use GNU Privacy Guard – “GPG” – a widely used and free implementation of the OpenPGP standard.

Facebook took a major step forward to improve the privacy of users that is admired by security experts like Alex Stamos, Yahoo’s CISO.

“Great work by the Facebook team!” he twitted.

After users enable this feature, Facebook send an email containing an attachment named encrypted.asc that must be decrypted to retrieve a required link for finalizing enablement of encrypted notification emails.

Facebook’s move will bring encryption to the fore, but the problem here, of course, is that most people have no idea how public-key cryptography works and how to even get started with it.

About the Author

Ali Taherian (@ali_taherian) is an enthusiastic information security Officer. He’s finished his education in information security and has recently been involved in banking software and payment security industry. Taherian is proud to be certified IBM Cloud Computing Solution Advisor and ECSA and enjoys sharing and tweeting about security advances and news.

Edited by Pierluigi Paganini

(Security Affairs –  Facebook , PGP)