Emails are the postcards of our times, the only difference is, we are not just sending them once a year from our holiday, but multiple times a day, and include conversations that we would not dare to write on a postcard…

Email was designed to be used unencrypted. There are extensions like StartTLS (don’t really use this, it is simply strippable by MITM) or Native TLS to secure the Transport, and since the big mail providers started using them, the usage rate just went up. However, this still does not make sure only you can read your mail, only that it is safe “on the wire”. There are additional extensions to mail like DKIM or SPF, but the adoption is pretty low, and mailing lists tend to mess them up…

There is a pretty good way to ensure real privacy of the Content by using PGP, but this is still not a widely adopted or easy-to-use and idiot-proof method of securing the Content of emails. This basically works by publishing your public key (which is not sensitive) to the sender, so it can be used to encrypt the Content of the email, and only you (or others by having your private key) can read it.

If you happen to poke around your Facebook security settings, you can find a menu entry about having Facebook sending encrypted emails to you. This is pretty awesome! You only need an email client or service that supports receiving encrypted emails.

ProtonMail just happens to use PGP encryption, and has seamlessly integrated it to their core mail service, so every email sent to you encrypted by your public key will transported by End-to-End secured for your eyes only.

You might ask if this is really required, but if you have the opportunity, why not use it? 🙂 Simply go to the Keys section at your Settings Page, where you can use the link in the Download column to get a text file that looks like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v0.11.0-PM
Comment: http://openpgpjs.org

xsBNBFW/wqcBCACxKl4LOxj88CLGjKZpwdLFCTW+MTO+SwNGtOKeC9vugRpo
OWUZW3E2GGuWiUYyJ0iMUHBnvPuy3YY3pE7MgMVuymuHQkL2C/tOiEcOPvlr
w6VgkL4udWxDQ8PlmBR3md4+164K4bQBSMsh+QoBOzserqTnnBGawkNEWFF9
[...]
-----END PGP PUBLIC KEY BLOCK-----

Just use this text and paste it to Facebook:

2017-02-23-18_41_09-1-security-settings

After clicking Save Changes, Facebook will send you a validation link, that you really receive their Emails.

Be aware, that after clicking this link and confirming this shift, all your received emails, including any password recovery mail, will be sent encrypted, so loosing access to the PGP private key could also mean loss of the ability to recover lost passwords.

However, this is also why it is actually secure; others cannot intercept emails sent to you, and this can add one small step in securing your Facebook account.

2017-02-23-17_02_44-facebook

We live in times, where data leaks and information theft is daily business well hidden from your life – until it hits you hard. Each small step counts.