PGP - empowered by Facebook

PGP (Pretty good privacy) is a well known approach and Enigmail and widely used add-on to keep data and e-mail confidential or proof their integrity - to encrypt and sign.

A major problem of PGP forms the key management: To send an encrypted message to a colleague it is necessary to have obtained her so-called public key.  This public key can be published online, but despite the fact that it can be a hard to find them, the user cannot be confident if the public key really belongs to the supposed owner.

Facebook offers since June 2015 the option to list OpenPGP keys on a users profile which we use to enhanced the Enigmail add-on for Thunderbird  to automatically import public keys from Facebook friends with a few clicks and less knowledge for the mechanisms. That way, we address the problem of verified ownership in PGP.

Operational details

First, when generating a key the user gets instructions to share her public-key in her Facebook profile. Second, she can download the public keys of her friends. Therefore, she has to enter her Login-Data so that the add-on can search through her friends profile's. This data is just used to locally login with Facebook and are transferred encrypted. After a waiting time (dependet on the number of friends) the keys get imported.


Code is on SECUSO GitHub.