Could Facebook Become the New Web of Trust? Maybe!

3 minute read
| Deep Dive

I’ve talked extensively about email encryption and security. It’s no secret that I prefer Secure/Multipurpose Internet Mail Extensions (S/MIME) over Open Pretty Good Privacy (OpenPGP), in part because of the latter’s reliance on a failing Web of Trust. With that said, I’ve come across a feature in Facebook, of all places, that could be used to revive PGP’s reliability.

Facebook and the Web of Trust

Facebook has the popularity and power to become the new Web of Trust – and the features are already in place (Image Credit: geralt)

An Old Feature, but It’s Still News to Me

I think Facebook must have been pretty quiet about it, although the social media giant did issue a news release in 2015 when the feature went live. To help users feel safe and trust that their connections to Facebook remained secure, the social network began providing a means to allow people to add OpenPGP public keys to their profiles. This was intended to allow Facebook to send end-to-end encrypted notification emails to users, but it has much more far-reaching implications.

With or without enabling encrypted notifications, Facebook users can choose to share their PGP public key on their profile page. In this way, Facebook could easily become a new Web of Trust. No longer would you have to rely upon the validation information from keyservers, which is not at all reliable because it’s so cumbersome to use that many people ignore the feature altogether. Instead, you could just look up your contact on Facebook and find their public key that way.

Enabling the OpenPGP Public Key on Facebook

If you want to provide your OpenPGP public key on your profile, here’s how you go about it. Make sure you’re on a computer, for starters. I’m not sure this process is even possible on a mobile device, and if it is, it’s going to be far too cumbersome.

First, get to your Facebook settings by clicking the blue triangle right of the question mark in the upper right corner of the Facebook page. Then, click Settings.

Enabling Public Key to Make Facebook the New Web of Trust - Step 1

Getting to Settings in Facebook

Next, click on Security. You’ll see an option for Public Key. Click Edit beside that option to move on.

Enabling Public Key to Make Facebook the New Web of Trust - Step 2

I never noticed this option before, but it’s apparently been there since 2015

Now you’ll enter a screen where you can paste your OpenPGP public key. Go ahead and do so, and decide whether or not you want Facebook to send you encrypted email.I found the best way to input the public key was using the entire contents of the ASCII file you get when you export the key from your PGP certificate (usually using GPGSuite on a Mac). If you decide to let Facebook encrypt communications with you, make sure you keep reading through the end of this article – there’s a “gotcha” between that and Keychain Access that you might want to be aware of. After you’ve pasted in your public key and checked (or not) the checkbox to use the public key to encrypt notification emails to you, click on Save Changes.

Enabling Public Key to Make Facebook the New Web of Trust - Step 3

Provide Facebook with your OpenPGP public key

You may receive an encrypted email from Facebook to confirm your public key’s validity. Follow the instructions within that email to make the below message go away.

Enabling Public Key to Make Facebook the New Web of Trust - Step 4

Public Key inserted

Next: Displaying Your Public Key on Your Profile Page

One Comment Add a comment

  1. Bill Bullock

    Hi Jeff. You might be interested in what we did with https://www.securemyemail.com where we did, indeed, use Facebook, Twitter, and LinkedIn with openPGP as an “update” to the legacy PGP Web of Trust. Instead of manually verifying the public key on Facebook (still possible, though) we automated things by asking (it is optional) SecureMyEmail users to authenticate to their preferred social network(s) to verify their identity. Once done, when these users invite contacts to set up encrypted email with them, the invitee can see if the inviter has verified their identity with a social network and click on the social icon in the app. If the inviter is legit (proven by successful authentication to the social network) their social page will come up and invitee can verify that it’s the person they know. Users will then have the option of raising the “trust level” of the inviter and other users can see that this person has been vouched for by the contact they invited.

    I realize that may sound complicated, but it’s not. It’s very simple and fully automated, but we, like you, didn’t want to have users using openPGP without access to a web of trust component and thought using social networks was an excellent and modern alternative to the old way (which most PGP users seldom did due to cumbersomeness as you obviously know).

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account