But I could certainly see some benefits both for FB and for world at large from this. One of the big problems with PGP is how to bootstrap web of trust. "Does this key really belong to this particular person?" But what if the otherwise loathed real name policy could be turned to service this particular need? Prominently visible personalities can attach their PGP keys to their pages and make the first association harder to forge.
Secondly, I have little doubt that the keyservers are monitored. An increase of searches and/or downloads to known activist lawyers' or journalists' keys could have relation to uncomfortable whistles being blown in near future. But what if FB made the keys they have signed available via their own keyserver, and made that reachable over Tor? Downloading a high-profile PGP key is likely to be a fairly big red flag.
And lastly, there may be some positive effects further down the line. I've been using PGP (and later GPG) since 2.3i became available and I know just how horrid the usability is. If FB can iterate over UI and UX issues, then others can learn from those efforts, and eventually we might have something that even a regular person could at least learn to use.
And of course - adding more encrypted noise to global email flow is not a bad thing at all.
I have no doubt that FB sees many non-altruistic avenues if this service catches wind. Wonder is there is anything to relationship graphs with some extremely strong edges...
http://www.slate.com/blogs/business_insider/2015/05/18/tech_...
http://www.theguardian.com/technology/shortcuts/2015/may/19/...
But isn't the PGP move a sign that Facebook cares about our privacy? Not really. The profile thing makes it easy to discover people who use PGP and email them with encrypted messages, but that has nothing to do with Facebook's content.
As for the encrypted notifications, Facebook can obviously still read those, and it can be useful to protect the data from Google. Also, if more people use PGP for email, that means less data for Google, so I could actually see this being a strategic move, too. Maybe not a huge one, but it doesn't cost Facebook too much to implement this, so why not?
I'll start thinking Facebook actually cares about my privacy when the Messenger uses Axolotl or OTR as well as ZRTP. Until then, I'll remain skeptical of Facebook's privacy intentions.
They don't do Facebook, but you can tie a PGP key to various other public identities (Twitter, GitHub, HN, Reddit, etc.)
The link between a real person and a Facebook account isn't secure - I could make an account with your name today without too much stress (no need to provide ID unless Facebook thinks your name isn't a real name).
Any manager worth their salt will know that maintaining code is 10x more expensive than building it in the first place, and if it's user-facing code you're even adding an implicit promise that the feature isn't going to be removed again. I strongly doubt the "oh but it would be so hard to build that" argument counts for much.
That said, I've no idea about what kind of place Facebook really is.
Just look at all the shit that comes out of Google, not as part of some grand overarching scheme, but because someone thought it would be fun, and more often than not forgotten about a year later.
I'm not following. Once I hand over my data I have no real control over how they end up using it behind the scenes. Furthermore, even if I never sign up with Facebook or at some point delete my account thinking my data has been flushed, a "shadow profile" still exists that I have no control over. [1]
[1] http://motherboard.vice.com/blog/facebooks-shadow-profile-bu...
1. They tell you to trust webpages which claim that their code does not send passwords or private keys to the server – something which would be extremely hard to verify now and even were you to do so now, could silently change in the future:
https://www.dropbox.com/s/teikzwftimeu8nc/Screenshot%202015-...
https://www.dropbox.com/s/1xlvpd8drhix0tj/Screenshot%202015-...
2. They encourage blindly copying and pasting complex commands into a shell:
https://www.dropbox.com/s/5rv7p4mks0qdr7f/Screenshot%202015-...
I have no reason to believe they're doing any of this in malice but it's not good because it encourages people to believe claims which could be made by any phisher and encourages practices which put you at risk if Keybase is ever compromised.
The answer to this, of course, would be a browser-managed crypto API which could provide unspoofable UI indicating that e.g. a private key will never leave the client but in the absence of such an API it feels irresponsible to make similar claims which aren't actually possible.
Heck. In honor of FB's move, Keybase signups are open for the next 24h. Please one account per person. Use invite code: shit-yeah-facebook
[1] https://twitter.com/malgorithms/status/605807605659758592
Well that and they don't solve the only really interesting problem with GPG: how to send a secure email to somebody who doesn't yet have a private key.
You can see it here as a GIF animation http://pjbrunet.com/friends-secret-messages.gif The decoder was just as easy, another pink box under the encoder. Obviously a pro could crack the code but that wasn't the point.
It was free. I advertised it to hundreds of thousands of people at the top of my blog which was 99% social media users and many of them were interested in privacy related topics as I could see from the Google queries. Looking at the CTR on that banner (asking people to try it) I concluded nobody cared. I was obviously targeting people who weren't tech savvy. I had some friends try it, they said they felt like James Bond ;-) That particular app had no traction, but my "pipe letter generator" did much better.
╔╔╗════╔╗═╔╗═════╔╗═══════╔╗══════════════════╔═╗╗
║║╚╗╔═╗║║═║║═╔═╗═║╚╗╔═╗╔═╗║╠╗╔═╗╔═╗═╔═╗╔═╗╔╦╦╗║═╣║
║║║║║╚╣║╚╗║╚╗║║║═║║║║╬║║═╣║╦╣║╚╣║╔╝═║║║║╚╣║║║║╠═║║
║╚╩╝╚═╝╚═╝╚═╝╚═╝═╚╩╝╚╩╝╚═╝╚╩╝╚═╝╚╝══╚╩╝╚═╝╚══╝╚═╝║
╚════════════════════════════════════════════════╝They'd have Facebook's pubkey on file, and -- transparent to you -- would create something analogous to my browser's lock icon in their email browser. Any time you got an email from Facebook, it'd say "Verified Sender".
Heck, couldn't we tie mail from Facebook back to their domain cert given to them by their CA? If it says @facebook.com, and it's passes verification from the cert on facebook.com, then it's actually from Facebook, right?
https://support.google.com/a/answer/174124 https://support.google.com/a/answer/2466580
I really don't understand why it has been chosen over S/MIME. Maybe they gave the money to that german guy who wrote it and now they don't want them to be completely wasted :)
Facebook pledged to donate $50,000 a year to Koch’s project.
While I'm cautious about facebook in general, it is (in essence) a repository for public data. A public key falls into that category, so they gain nothing more than the association of user and key. And in return, the PRISM databank has more superbly useless information to store and eventually 'collect' for 1EF communication.
And I gain immunity from account hijacking unless I mess up Key Management.
If you click that verification link, you'll receive a web notification that it's enabled should start receiving encrypted notifications.
Check your spam folder in case your mail provider's or client's spam filter is mislabeling it.
If you don't see it, try unchecking and rechecking the opt-in box, which should trigger a new verification email. (We've had a feature request for a "Resend" button".)
I wonder if MS has made GPG support any easier in Outlook. Last I looked into it a year or two ago, it was hard to integrate unless you paid for the official PGP plug-in.
Payments (bitcoin style currencies), banking, document signitures, and single sign-on?
Some time ago I started collecting support of S/MIME in products and companies: https://gist.github.com/rmoriz/5945400