As
part of the Facebook account security feature, Facebook sends various
notification e-mails. All these notification e-mail messages are in
plain text. For notification e-mails like "Login Alert", it
is not a big problem if the mail content is plain text as it does not
contain anything important. However, in the case of password reset
request e-mail, it is a problem since the reset code is sent in plain
text. If your e-mail account is compromised, for example by a session
hijacking method, the hacker has access to your e-mail account until
the session expires so they can request Facebook password reset and
easily take over your Facebook account.
Note:
How your account got session hijacked is outside the scope of this
blog but typically, it can happen when clicking on phishing e-mails
or visiting infected websites etc.
Recently
(Jun 2015), Facebook introduced an option for users to request all
notification e-mails in encrypted form. If you are already using or
familiar with PGP, you can now provide your public key to Facebook so
it will use it to encrypt all e-mail communications to you. Go to
your Facebook profile and navigate your way to the "Contact and
Basic Info" section of the "About" page (or click here
https://www.facebook.com/me/about?section=contact-info).
See
the screen shot below where I entered my public key.
Once
you enter your public key (make sure to check the box to enable
encrypted notifications) and save changes, you will get an encrypted
mail from Facebook. You then decrypt the mail using your PGP tool and
confirm using the link Facebook sends you. After this, all e-mails
from Facebook will be encrypted using your public key so only you can
decrypt it. In addition, you need to add Facebook's public key to
your PGP keyring so you can verify the signature of the encrypted
e-mail to ensure it is from Facebook. The key is at link below.
See
this whole process in action--- Few days ago, someone tried multiple
times to reset my Facebook account. For every attempt, I get an
encrypted e-mail from Facebook as shown in the screen shot below.
Below
is the screen shot after I decrypted the content using my private
key.
So
even if my e-mail account was compromised (highly unlikely), the
hacker can't read the code sent by Facebook to reset my password
since he can't decrypt the mail without my private keys. For PGP
encryption/decryption, I use Google's 'End-To-End' chrome plug-in
(not available in chrome Web Store yet but you can download source
code and compile it). However, there are other
tools and browser plug-ins readily available which you can easily
install in your browser (chrome or firefox) to use PGP.
If
you are new to PGP, the read the link below for a quick introduction
before getting started on using Facebook encrypted e-mails.