Facebook Kills PGP-Encrypted Emails (techcrunch.com) 37
An anonymous reader quotes a report from TechCrunch: In 2015, as part of the wave of encrypting all the things on the internet, encouraged by the Edward Snowden revelations, Facebook announced that it would allow users to receive encrypted emails from the company. Even at the time, this was a feature for the paranoid users. By turning on the feature, all emails sent from Facebook -- mostly notifications of "likes" and private messages -- to the users who opted-in would be encrypted with the decades-old technology called Pretty Good Privacy, or PGP. Eight years later, Facebook is killing the feature due to low usage, according to the company. The feature was deprecated Tuesday. Facebook declined to specify exactly how many users were still using the encrypted email feature.
So? (Score:5, Insightful)
Re:So? (Score:2)
There's a difference between knowing you're ending up in some company's database, and knowing anyone on the internet can read your interactions with said company.
For the longest time the greater concern was not that people were using Facebook or that marketing companies were involved, it was that the government wanted to snoop on what you liked and didn't like before granting people visas.
People care about what impacts them. Someone showing me an advert is very frigging low on the list of things qualifying for the limited amount of shits I have to give.
Re:So? (Score:2)
Privacy is half the value of PGP. The other half is about authentication: knowing who sent the email. It's arguably useful (within the hypothesis that Facebook is useful) to know that an email which claims to come from Facebook, actually came from Facebook.
But wait .. about that privacy thing. I have no idea how a person decides to trust Facebook, but if we ass/u/me they do, then this allows Facebook and a person to communicate without others being able to read it. Lots of people choose (for whatever reason) to communicate with Facebook, but don't choose to communicate the same things with $RANDOM_OTHER_PARTY. Why not keep access controls fine-grained?
Re:So? (Score:2)
Re:So? (Score:2)
Businesses use Facebook to advertise and interact with customers.
People don't care about privacy (Score:3)
Sorry, but it's true, they just want free stuff and convenience. Start talking about privacy and rights, see how fast they start ignoring (and avoiding) you.
Re:People don't care about privacy (Score:5, Insightful)
People care about privacy when something like the Snowden revelations, or the Cambridge Analytica scandal, are making headlines. They get really mad at how they have been spied on and betrayed.
But the very instant they must expend a modicum of effort towards protecting their privacy, they stop caring. They want their government and corporate providers to do all that for them and have it all be automatic so they don't have to think about it.
And the next time something like this makes headlines, they will get really mad again that their government and/or corporate providers have been spying on them, and yell a lot about how wrong this is and how it should be fixed.
And then go right back to doing nothing. It won't even occur to them that the people they expect to be protecting their privacy are the very people who have the most to gain from violating it. They find it a lot easier to just assume that someone else is handling it, and stop thinking about it.
Re:People don't care about privacy (Score:2)
Re:People don't care about privacy (Score:2)
Re:People don't care about privacy (Score:3)
But the very instant they must expend a modicum of effort towards protecting their privacy, they stop caring.
You're conflating all privacy as being equal. That's just not the case. People gave a shit about the Snowden revelations and the Cambridge Analytica scandal because it actually had the ability to affect them. On the flip side Facebook selling likes in some aggregated database to an advertisement company, doesn't qualify as something that most people give a shit about.
It is perfectly reasonable to give one person some information but want to protect it from another. Incidentally this is why I have three passports. Two for my different nationalities, and one for that sensitive country whose stamp we want to hide from a couple of other sensitive countries. Though given the intelligence of USA immigration officers and their inability to understand the concept of a curtesy hotel when flying first class as a reason for having a stamp in and out of a country on the same day, I think it may be time to use the burner passport for a second country too.
Re:People don't care about privacy (Score:5, Interesting)
The next time I would see maybe 90% of my clients, they'd have random spam popups and a shitload of trojans/viruses/worms... And would have turned off all the security settings i set for them. Asking why, they would say it was too much hassle, couldn't I just 'secure' it for them?
Of course I would try to explain it to them again... but eyes glaze over after 30 seconds and they'd just act like i should be able to wave my magic wand and poof! they are safe.
Re:People don't care about privacy (Score:2)
Why would you recommend a VPN?
Unless you're trying to hide your torrent box (and yes, that's a valid reason for one, but most home users don't do that much torrenting) or connecting to a business network, a VPN has no value for most users.
All one of those stupid VPN services does is change who can sniff your traffic from your ISP to a VPN provider.
I'm not a fan of Brave. I recommend Firefox with uBlock, Facebook Container, and if they're at all capable of handling it, NoScript. And DDG should be used as a search engine, no need to install their browser.
I used it (Score:4, Insightful)
I got the notification it was going away the other day. I liked it simply for the fact if other MFA logins were bypassed, and they had access to my email, they still couldn't reset my password without my PGP key. One extra layer.
Re:I used it (Score:1)
Definitely makes sense, especially if one was all in on FB authentication for a bunch of other sites.
Thie is the wrong move! (Score:4)
Every single bleeping company cries and waxes poetic about how much they “deeply” and “critically” care about security, but then have standards that amount to a broken screen door and stuck open window on their infrastructure. I don't care if you're dealing with the DoD, DoJ or Little Jane's Cookie Company, ran by the 75-year-old woman as a sole venture. PGP is essential, and there is no excuse for not using it. If you don't use PGP, or another open comparable solution, you don't care about security, period!
Maybe you have no idea how email works, and can't understand how SMS and Email are different, but that's where Facebook / Meta can get involve and throw shame on companies like Google and Microsoft. Why doesn't Outlook support PGP by default? Why doesn't GMail? Facebook / Meta shouldn't sunset PGP, they should make it a battle cry.
Re:Thie is the wrong move! (Score:3)
Facebook / Meta, should be calling out other companies about not using PGP. PGP is an essential part of email security and identity validation. It's a fair statement to say that any company who won't offer the option to use PGP, and who doesn't sign their emails by default, does not care, even by accident, about cybersecurity.
Except that to avoid getting blocked as spam, Facebook/Meta already has to sign every email sent from their mail servers (Sender ID), which makes PGP mostly moot unless you are either A. using it to encrypt emails or B. using it to sign emails with an on-device mail client to prove that nobody cracked into the user's email account. Neither of those things likely applies to communication sent by Facebook.
Re:Thie is the wrong move! (Score:2)
Re:Thie is the wrong move! (Score:3)
We're talking about security not spam.
When the messages are being sent by a server process, there's likely to be zero difference in practice. Either the account on the server that sends the message is compromised (in which case the PGP key is also probably compromised) or it isn't.
Re:Thie is the wrong move! (Score:2)
What about Microsoft emailing you about support, do you trust those? At what point do you trust email? Best practices already have you load the email client in a container or VM just to isolate it from the host. Email is the most insecure and dangerous point, in regard to cybersecurity, in an organization.
I'm at the point I load multiple email clients up to handle my work vs personal email, in three different VM (Qubes), just to be safe.
Re:Thie is the wrong move! (Score:2)
No matter what or how you encrypt, you can't hide the sender or recipient for email to flow.
Re:Thie is the wrong move! (Score:3)
Phil Zimmermann, the man who created PGP, does not use PGP [scmagazine.com], or at least did not as of 2015, and had no way of encrypting or decrypting such email. He said at the time that he would try GPG, but it's not clear whether he ever did.
A number of other privacy luminaries have stepped away from it, some doing so publicly. Moxie Marlinspike did so [moxie.org] in February 2015. Filippo Vasorda, one of the cryptographers behind TLSv1.3, followed suit in December 2016. Bruce Schneier has said many times over the last decade that he believes PGP is more difficult to use than it's worth. All of them prefer Signal, which has its issues (particularly being tied to a phone number, which is both a strength and a weakness) but which is far, far easier to use, available on almost every notable platform, and is probably more secure than PGP/GPG will ever be.
I would suggest that those last three, at least, care a great deal about security, since they have spent their careers working very hard at providing it for the masses and that Phil Zimmermann likely does, too, even if he's not been as involved for a while.
Google looked at integrating OpenPGP into Gmail via an extension almost a decade ago, and they took a pretty good crack at it. Unfortunately, the threat model [github.com] turned out to have so many holes that it wasn't worth the effort (though Eduardo Vela Nava, aka sirdarkcat, still updates the code every few years). Please do look over that page, as it's one of the best threat model summaries I've ever seen. If you read it in detail, they note in several places that they do not identify all the threats within a particular realm, and that some threats simply cannot be addressed with a browser-based implementation. They published the source code for the extension under Apache 2.0, so you're welcome to pick up from where they left off.
Re:Thie is the wrong move! (Score:2)
On this computer I have 3 Qubes setup for email, one for my personal emails, one for my work emails and one throw away emails. The number of emails I delete without reading is rather large, because if anyone emails me and that email had to load almost all its resources from remote hosts, it gets deleted. If you email me and I don't recognize the address, and the email doesn't explain who you are, and why, deleted. If the email doesn't come across as professional, and useful, deleted.
If your workaround is to use Signal, fine, but you're really just changing the validation point from X to Y.
Re:Thie is the wrong move! (Score:2)
Email is so insecure that best practices recommend running your email clients in separate VM's or Containers, just to isolate them from your system.
Who is recommending this? I've been in security for nearly 20 years, and except for ultra-secure environments that 99.9% of users will never see, I've never seen such a suggestion. Further, almost no one is going to implement a VM just for their email client, and forget about an enterprise doing it to any real scale. There's just too much integration between programs for that to happen. They are especially not going to go the route of one VM for each account, and certainly not going to run Qubes.
Re:Thie is the wrong move! (Score:2)
Of course a simple workaround that is solid AF, PGP, because then you can verify and validate who is who. If person X from department Y sends me an email, I can look that up and verify they own the key, and validate the email, and if I'm really serious, give them a call and confirm.
I do this occasionally, when emails look even partially suspect. I have literally lost count on the number of times an email has come in to my inbox, that was legit, that I wouldn't touch with a 10 foot pole.
I'm actually surprised you haven't heard anyone recommend to run email clients, and especially servers, on VM's / Containers. The entire idea behind Qubes or any of the immutable OS's, NixOS, Fedora SilverCore, basically force this behaviour. There was a project from Microsoft, I'm not sure if they released it, that would isolate applications from each other in sandboxes, basically doing the "FlatPak" concept on Windows. The fundamental idea is to prevent a bad email from causing data loss, because it's contained, so it can only ever access a sandbox.
Just to be clear, I know Users HATE anything that takes 1 microsecond of time away from their workflow, and that requires any education. However, being email is almost always the flashing arrow of security concern in a company, it's absolutely worth taking seriously. Even if you don't want to use a VM or Container, you can containerize your browsers, which is far from perfect, but it's a decent step.
Re:Thie is the wrong move! (Score:2)
I greatly respect the work that Joanna Rutkowska put into Qubes, and what her team did when she stepped away from it. But it's not usable as an enterprise platform. It doesn't fit into any remote administration tools that are out there (at least as far as I am aware), and that's a key part of getting enterprises to accept it. Another important thing is, who provides support if something breaks? There was a plan in 2016 to provide commercial support, but I don't believe that ever took off. There are a few small firms offering support, but I don't see anything bigger than boutique firms, and a lot of training and hand-holding would be required for a conversion of any significant size.
I tried it for a while, but eventually set it aside because I couldn't fit it into my workflow. It was too easy to break things, and the time that it took to fix them interfered with me getting actual work done. I could argue security benefits all day, but ultimately, if I can't do my job, they'll find someone who can.
I'm actually surprised you haven't heard anyone recommend to run email clients, and especially servers, on VM's / Containers.
I've heard plenty of people talk about running servers in their own VMs or containers. I do it myself. But that doesn't automatically increase security, and if one doesn't know what they're doing, it can make security worse.
But those aren't the issue, and you bringing them up is a non sequitur at best and a red herring at worst. Email clients are the issue. And while I have heard of a few people talk about running their clients in a VM, that doesn't address my original question: Who is recommending this as a best practice? Certainly not the Center for Internet Security, or SANS, or NIST, or anyone else that I can find who isn't a purist that values security over getting work done.
Microsoft has introduced some sandbox isolation features into Windows, though it requires enabling Hyper-V, which brings its own mixed bag of issues. Edge, for example, can be sandboxed, and Outlook 365 has had the capability since 2020 (I have no idea whether the permanent license versions can do it). It's possible to sandbox other applications with some work. But sandboxing isn't containerizing, and it certainly isn't isolating them in a VM. Microsoft gently encourages sandboxing, but I'm not sure they've reached the level of best practice, and they certainly aren't calling isolating email in a VM a best practice.
Re:Thie is the wrong move! (Score:1)
All of them prefer Signal, which has its issues (particularly being tied to a phone number, which is both a strength and a weakness) but which is far, far easier to use,...
Usability is a huge issue for encrypted messaging. PGP is included here. Unfortunately, so is Signal. In a usability study involving Signal[1], 21 out of 28 computer science students failed to establish and maintain a secure end to end encrypted connection. The problem was with identity verification.
...and is probably more secure than PGP/GPG will ever be.
Related to the Signal usability issue related to identity verification, Signal cheerfully allows a user to do messaging without any such verification at all. So that means that Signal, Twilo (the entity that does the phone # verfication) and the phone company all have the opportunity to MITM the connection and get your messages. PGP will insist that you acknowledge that you have done the verification by signing the PGP identity in question. So, for almost all the people that currently use Signal, PGP would actually be more secure.
Signal isn't the only instant messenger that allows insecure operation with unverified identities. In general, if you don't make the issue clear to the user, you are being at least a little dishonest on your end to end encryption claim.
[1] https://www.ndss-symposium.org... [ndss-symposium.org]
Re:Thie is the wrong move! (Score:2)
PGP insists that someone signs the identity, not you specifically. I can create and upload a PGP key with your address to a key server and, unless you're monitoring for that, you would never know. If I can intercept your email traffic selectively, then since it's signed, it must be you, right? How many people contact their intended recipient to validate the fingerprint? How many of them know to do that, and of them, how many of them know how to reasonably securely contact you to validate that it's the right one?
If you look later in the study, you'll find that 13 of the 28 asked Bob to come into the room to compare the keys, but 6 failed to do the actual comparison, so it wasn't just that 75% utterly failed to do anything. There was some confusion about what to do, and the UI didn't help.
But that paper is also from seven years ago, first presented at EuroUSEC 2016 in July of that year. Signal made several changes afterward to make it clearer what should be done (it changed to safety numbers with clearer messaging and easier confirmation in November 2016) and has made further changes since then.
Ultimately, Signal is far easier to do than any version of PGP or GPG. Its encryption is much stronger, and while the implementation is not perfect, the fact that people who previously swore by PGP for secure communications have shifted says a lot about it.
Facebook and privacy (Score:1)
Never used Facebook.... (Score:1)
OK, I tried it for a few days after decades of avoiding it. I felt dirty.....
First I am hearing of this (Score:2)
I didn't know FB allowed encrypted emails. Perhaps the usage was low because the deployment occurred in such a way that ensured its failure ?
Re: First I am hearing of this (Score:1)
ChatGPT already knows everything about you (Score:2)
So why would you need encryption for anything anymore?
Re:ChatGPT already knows everything about you (Score:3)
Makes sense (Score:2)
If you still use Facebook, you don't give a fuck about security or privacy.
Re: Makes sense (Score:1)
Re:Makes sense (Score:2)
Ending up in some aggregated database to sell me ads is different from random people intercepting my data. Privacy is not absolute. Yes there are people who don't give a fuck about Facebook, but do for example want to not have the US Immigration department knowing they follow North Korean groups on it.
Facebuk? (Score:2)
What is fasebook? I never heard of it