Threat Research

Encrypting Facebook

By Axelle Apvrille | December 21, 2010

A while ago, probably after a long and difficult day, I got into this funny idea of encrypting my Facebook account messages so that only the people I really wanted to could read them (i.e not an unknown stranger using Firesheep, nor a third-party applications or not even Facebook itself). For a moment, I wondered how to do this, until I remembered a Firefox plugin named FireGPG. Basically, FireGPG is Firefox extension to GPG, i.e it enables easy encryption/ decryption/ signature/ and verification in the browser.

So, I installed the plugin and tried it out. It's quite easy to use, actually. I prepared a new message in Facebook (don't hit the "share" button yet). The example below shows the encryption of a new status, but of course, it works just the same with direct user to user messages.

Writing an encrypted message on Facebook

Then, I encrypted the message (copy message to clipboard and do Tools > FireGPG > Encrypt - for example) I wanted to secure. FireGPG is basically a GPG front-end, so it is possible to use public key cryptography and encrypt the message for one or several recipients (provided their public keys are in your keyring) or use "conventional encryption" which consists in sharing a passphrase among recipient.

This is what my wall looks like to unsollicited readers or applications :) Geeky, huh ?

Encrypted message on Facebook

But friends whom the message is for (and who have FireGPG installed) can decrypt this quite easily, because the FireGPG plugin spots there is an encrypted message and displays the following:

FireGPG spots an encrypted message

They click on decrypt, enter their keyring passphrase or the shared passphrase, and read my wall correctly.

Decrypted message

Note that if you are already using a Firefox plugin such as HTTPS everywhere or Force-TLS, the communication pipe with Facebook (from your browser to Facebook hosts) is already secure, thus FireSheep users (and sniffers in general) won't be able to snoop on your private data. In that case, FireGPG is 'only' useful to secure the messages on Facebook hosts - in other words, if you want that Facebook itself cannot read them (nor anyone else hacking her way into it).

Okay, so now I need to convert my friends to FireGPG. ;)

-- the Crypto Girl

Join the Discussion