Could Facebook Become the New Web of Trust? Maybe!

I’ve talked extensively about email encryption and security. It’s no secret that I prefer Secure/Multipurpose Internet Mail Extensions (S/MIME) over Open Pretty Good Privacy (OpenPGP), in part because of the latter’s reliance on a failing Web of Trust. With that said, I’ve come across a feature in Facebook, of all places, that could be used to revive PGP’s reliability.

Facebook has the popularity and power to become the new Web of Trust – and the features are already in place (Image Credit: geralt)

An Old Feature, but It’s Still News to Me

I think Facebook must have been pretty quiet about it, although the social media giant did issue a news release in 2015 when the feature went live. To help users feel safe and trust that their connections to Facebook remained secure, the social network began providing a means to allow people to add OpenPGP public keys to their profiles. This was intended to allow Facebook to send end-to-end encrypted notification emails to users, but it has much more far-reaching implications.

With or without enabling encrypted notifications, Facebook users can choose to share their PGP public key on their profile page. In this way, Facebook could easily become a new Web of Trust. No longer would you have to rely upon the validation information from keyservers, which is not at all reliable because it’s so cumbersome to use that many people ignore the feature altogether. Instead, you could just look up your contact on Facebook and find their public key that way.

Enabling the OpenPGP Public Key on Facebook

If you want to provide your OpenPGP public key on your profile, here’s how you go about it. Make sure you’re on a computer, for starters. I’m not sure this process is even possible on a mobile device, and if it is, it’s going to be far too cumbersome.

First, get to your Facebook settings by clicking the blue triangle right of the question mark in the upper right corner of the Facebook page. Then, click Settings.

Getting to Settings in Facebook

Next, click on Security. You’ll see an option for Public Key. Click Edit beside that option to move on.

I never noticed this option before, but it’s apparently been there since 2015

Now you’ll enter a screen where you can paste your OpenPGP public key. Go ahead and do so, and decide whether or not you want Facebook to send you encrypted email.I found the best way to input the public key was using the entire contents of the ASCII file you get when you export the key from your PGP certificate (usually using GPGSuite on a Mac). If you decide to let Facebook encrypt communications with you, make sure you keep reading through the end of this article – there’s a “gotcha” between that and Keychain Access that you might want to be aware of. After you’ve pasted in your public key and checked (or not) the checkbox to use the public key to encrypt notification emails to you, click on Save Changes.

Provide Facebook with your OpenPGP public key

You may receive an encrypted email from Facebook to confirm your public key’s validity. Follow the instructions within that email to make the below message go away.

Public Key inserted

Next: Displaying Your Public Key on Your Profile Page

Adding Your Public Key to Your Facebook Profile

To display your public key on your profile page, you need to update your contact information. From Facebook’s top menu bar, click on your face to get to your profile. Then click on Update Info.

Now to add my PGP Public Key to my profile page

Moving on. Click on Contact and Basic Info for the next step.

Click on Contact and Basic Info

Now click + Add a public key.

Now you can add your public key

Paste your public key into the field provided, if it isn’t already there. Choose who you want to be able to see your key, and click Save Changes.

If it isn’t already there, you can paste it into place

That’s it! After this, anybody you allow will be able to view and download your OpenPGP public key for use in emailing you.

Now for the Gotcha

Here’s a problem that may crop up if you turn on encrypted notifications from Facebook. Assuming you’re using Keychain to store your passwords, Safari will ask if you want to update your password. You probably should, but be aware of what that Keychain Access entry will look like afterwards. Here’s an example.

This is ugly window management

I’ve blurred out some data there, but it’s my public key. You can see there is no way to access my password to view it or change it.

To get around the problem, I had to highlight the entire contents of my public key, cut it, and then attempt to close the window. Keychain Access asked if I wanted to save my changes, and it was only when I said no that I was able to access the password field in the window.

This isn’t much better, but at least I can see the password field now

Your experience might be similar, so if you can’t see the password field, follow my advice from above and you should be okay.

Facebook Could Become the New Web of Trust

Almost everybody uses Facebook these days. It’s definitely conceivable that the social media network could become the new Web of Trust for PGP, if people start using this feature more. Of course, nobody I talked to about it even knew it was there, so that might not bode well for its prospects. However, if enough of us get the word out, it certainly could become a handy repository of public keys.

Share this post