Facebook boosts notification email security with OpenPGP encryption

Don't let hackers take your Facebook account. Protect your email notifications with OpenPGP.

The next time someone tags you in a Facebook post, the social network can send you a super secret notification that not even the National Security Agency can read--at least as far as we know. On Monday, Facebook announced that you can now add an OpenPGP key to your Facebook profile.

When you do this, Facebook will also give you the option to enable encryption for email alerts. That means the next time you get an email notification from Facebook for a new tag, friend request, or, most importantly, a password reset, the message will be encrypted.

The social network isn't helping you generate your own key, but if you have one you can add it to your profile here. The new feature is rolling out over time so if you don't see it now check back over the next few days. It also only works on desktop browsers, but the company says it is working on a way to all you to manage your keys on mobile as well.

The addition of OpenPGP keys is the second major security-focused announcement from Facebook in recent months. In October, Facebook created a site on the Tor network allowing users to connect to Facebook with enhanced anonymity. Facebook's Tor site was notably also the first "darknet" site to earn its own SSL certificate.

Why this matters: It may seem like overkill to get an encrypted notification to let you know about a Facebook poke or when someone posts on your timeline. Security notifications, however, are another matter. If hackers got access to your email account and then tried to send a password reset for Facebook it wouldn't do them much good with encryption enabled. Unless the bad guy had your private OpenPGP key there would be no realistic way for them to read the encrypted message.

Email encryption is also becoming a hot topic: Both Gmail and Yahoo plan on offering an OpenPGP in the near future.

How it works

Here's a quick primer on email encryption basics. To use OpenPGP you have to generate two keys: one private and one public. The private one you have to keep to yourself and never share it with anyone; it should also be locked down with a password that's hard to guess. The public key you share far and wide. Then, when someone wants to send you an encrypted message, their email program uses your public encryption key to scramble the message. When that happens, only someone who has the private key can de-scramble the message.

Hands on

To get started, follow the link to your profile referenced above or open your Facebook profile and click About > Contact and Basic info.

Under the contact information heading you should see an option that says + Add a public key. Click that option and a large text box appears. Copy and paste your complete public key into that box--from the first line with the dashes to the last line with the dashes.

If you want to encrypt your email alerts from Facebook, check the box below the text entry area that says "Use this public key to encrypt emails that Facebook sends to you?"

Finally, decide whether you want your public key displayed on your profile. You can choose to make it completely public to all Facebook users, only friends, only you, or only to any custom sharing lists you've made.

I would recommend making it public since the whole point of your public key is to make it available to the world.

Once you've decided how you want to share your public key on your Facebook profile, click Save Changes and you're done.

Facebook will then display your public key fingerprint (basically a shorthand version of your key that programs can parse).

Finally, if you select the encrypted email notifications option, Facebook will send you an encrypted email that will include a link you must click to confirm you want to receive encrypted messages from Facebook.

That's it: Welcome to the wonderful world of encrypted email notifications from Facebook.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security AgencysecuritypgpencryptionFacebook

More about ClickFacebookNational Security AgencyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts