Letters from social networks: is your privacy good enough? Two problems and their solution
When using social networks, there are various problems that go beyond the topic of this article. But there are two problems that are usually forgotten. Social networks periodically send letters to their users about recent events: the publication of friends, responses, likes, personal messages, and so on. There are two problems with these letters.
First, the letter on the way to you can be read by someone else. Let's say you participated in a social network in some kind of discussion (perhaps with limited access), and today there is a new statement in it. Or someone told you via a social network confidential information. Or something else. And the social network sent you an e-mail, citing the text of the message in it. A letter on its way to you will go through different nodes of the network, and anyone who has access to any of these nodes will be able to read it.
Secondly, the attacker can send you a letter that simulates a letter to the social network. Yes, after looking more closely at the letter, you can understand that it is not real; But do you carefully examine any received email?
')
Now imagine that a social network sends you its encrypted letters, and on your computer these letters are automatically decrypted: you read these letters, as before, and no one else can read them. Imagine also that a social network signs your letters to you, and when you open a signed letter, you can see a short notice, a real signature or a fake, above its text. Wouldn't it be great? As for the presence of such functionality in different social networks, I have three news for you. The bad news: Habr has no such functionality. Another bad news: most social networks do not have this functionality either. And finally, the good news: one of the social networks has this functionality; this social network is Facebook.
Next, I explain how to take advantage of these great features. The text is written so as to be understandable even for completely inexperienced users; no knowledge of foreign languages ​​is required. Yes, I know that Habr's audience is not like that; The article is addressed not so much to the Habrovites as their friends and acquaintances.
My preferred mail program is Thunderbird. Next, I base myself on the assumption that you use it. You need to install an add-on to Thunderbird called Enigmail. Do not worry: nothing complicated.
Go to the Enigmail site (do not pay attention to the English language of the site - if you have Thunderbird in Russian, then Enigmail will also be in Russian).
On the page you will see a well-marked link "Download Enigmail Now". Click on it with the right mouse button; in the menu that opens, left-click on the "Save Target As ..." command (or, depending on the browser you use, "Save link as ..." or similar; in both cases without quotes) and download the file without changing its name (remember where you downloaded it).
Switch to Thunderbird.
(Note. Next, I present actions using the menu bar. The same functions are available by pressing the three-dash popup button just below the upper right corner of the window. Experienced users can easily figure it out. But if you are an inexperienced user and the menu bar is off, then I advise you to turn it on. To do this, click the mentioned button, then “Settings”, then “Menu Bar”.)
Open the "Tools" menu, and in it "Add-ons".
In the opened tab, click on the button with the wheel, in the opened menu select the item “Install add-on from file ...”. Point to the file you downloaded (just in case I remind you that the file name starts with enigmail- , the .xpi extension). You will be prompted; In the request window, click on the "Install Now" button. (If you suspect that this is a virus, then check with fifteen antiviruses ; if you understand English, then for complete certainty you can check with fifty-nine antiviruses .)
One more will appear in the list of installed add-ons, and the title of another menu will appear in the menu bar. The Add-ons Management tab can be closed.
Open the "Edit" menu, and in it "Settings". In the "Thunderbird Settings" window that opens, go to the "Privacy" tab.
Make sure that the item “Allow messages to show content from the Internet” is turned off in the “Email content” section: if there is no tick in the corresponding box, leave it as it is, and if so, remove it. In the “Enigmail Junior Mode” section, select the “Force using S / MIME and Enigmail” item (the menu name “Enigmail / p≡p” will change to “Enigmail”).
Click on the "Close" button at the bottom of the "Thunderbird Settings" window. Close Thunderbird, wait a few seconds and run it again.
Open the "Enigmail" menu, and in it the "Key Manager".
The Enigmail Key Management window opens. Open the “View” menu and make sure that “Show keys to other people” is unchecked (and if checked, click on it to clear the check mark). Your keys may have been created automatically when installing Enigmail; If you see your name and email address in the "Name" column, skip the next paragraph (until the words "So you have").
To create keys, open the “Create” menu, then “New key pair”. The OpenPGP Key Generation window opens.
Put a daw before the words “Without a password”, and after the words “The key expires in”, correct “5” to “1”. Carefully read the text at the bottom of the window and click on the "Create a key" button. Take care of other things; after completing the key creation, return to the Enigmail Key Management window (the OpenPGP Key Generation window will close by then).
So, you have a pair of keys. Yes, there are two of them: private key (eng. Private key ) and public key (eng. Public key ).
I suppose you understand the meaning of the words “private conversation” and “public statement”: the content of a private conversation should not be known by an outsider, but the content of a public statement should be known to a wide circle of people. The difference between a private key and a public key is the same: the private key should be hidden and not shown to anyone, and the public key can be published (these words are not accidentally rooted). The private key is also called the private or secret key, and the public key is called the public key.
Right-click your key pair, in the menu that opens, left-click the "Create and save certificate of revocation" command. Choose a place to save (you can change the proposed file name to a more obvious one for you; for example, revoke-key.txt ) and click “Save”. A message will be displayed in English;
Here is his translation:
“The certificate of revocation has been successfully created. You can use it to invalidate your public key; for example, in case you lost your secret key. ”
Again, right-click your key pair, in the menu that opens, left-click "Export keys to file". A small window will open asking “Do you want to include the private key in the saved OpenPGP key file?” Click the “Export Private Keys” button in this window; select a place to save (here you can also change the proposed file name to a more self-evident for you; for example, private-key.txt ) and click Save.
The message “Keys have been successfully saved” will be displayed; Click on the "Close" button.
Hide the two files you just saved somewhere, where you can easily find them, and someone else is unlikely. For example, if in the depth of a table or cabinet you have a flash drive that you do not carry anywhere and on which you store important secret files, then transfer these two files to this flash drive.
Again, right-click your key pair, in the menu that opens, again, left-click the "Export keys to file" command. But this time, click the "Export only public keys" button; choose a place to save (here you can also change the proposed file name to a more self-evident for you; for example, public-key.txt ) and click “Save”. The message “Keys have been successfully saved” will be displayed; Click on the "Close" button. Unlike the previous two, this file is not required to hide.
So, the climax. Switch to the browser and go to Facebook. At the top edge of the page on the right, you see several icons. Click on the rightmost one, which looks like a small triangle pointing down. Move the pointer down and click the line with the word "Settings".
On the next page on the left is the table of contents; Click the "Security and Login" line. Scroll to the end of the next page; in the bottom of the page is the group “Advanced settings”, in it, click on the line “Encrypted emails with notifications”.
An input box appears. At the bottom of the page, above the “Save Changes” button, is the phrase “Download the Facebook public key here”, in which the word “here” is a link; right-click this link and select Copy Link.
Switch to the Enigmail Key Management window; open the “Edit” menu and in it “Import keys by URL”.
In the prompt that appears, right-click in the input field, then select "Paste"; Click OK, OK again, and OK again.
Again, right-click your key pair, in the menu that opens, left-click the "Copy public keys to clipboard" command.
Switch to the browser; Right-click in the input field, then select "Paste." Scroll down the page; make sure that a check mark is placed next to the words “Use this public key to encrypt notifications that Facebook sends to your email address. address? ”(if not, put it). Click the "Save Changes" button.
Soon Facebook will send you a letter; Above the letter you will see: “The decrypted message; Nice signature from Facebook, Inc. ”.
The letter is in English. Here is the translation:
I have one more good news for you: not only Facebook can sign and encrypt letters. Any of your friends can send you a letter signed with his private key and encrypted with your public key - of course, if he has Enigmail (or another program with such functionality) and your public key; Only you can read this letter. In the same way, you can send someone a letter signed with your private key and encrypted with its public key. But about this - another time.
First, the letter on the way to you can be read by someone else. Let's say you participated in a social network in some kind of discussion (perhaps with limited access), and today there is a new statement in it. Or someone told you via a social network confidential information. Or something else. And the social network sent you an e-mail, citing the text of the message in it. A letter on its way to you will go through different nodes of the network, and anyone who has access to any of these nodes will be able to read it.
Secondly, the attacker can send you a letter that simulates a letter to the social network. Yes, after looking more closely at the letter, you can understand that it is not real; But do you carefully examine any received email?
')
Now imagine that a social network sends you its encrypted letters, and on your computer these letters are automatically decrypted: you read these letters, as before, and no one else can read them. Imagine also that a social network signs your letters to you, and when you open a signed letter, you can see a short notice, a real signature or a fake, above its text. Wouldn't it be great? As for the presence of such functionality in different social networks, I have three news for you. The bad news: Habr has no such functionality. Another bad news: most social networks do not have this functionality either. And finally, the good news: one of the social networks has this functionality; this social network is Facebook.
Next, I explain how to take advantage of these great features. The text is written so as to be understandable even for completely inexperienced users; no knowledge of foreign languages ​​is required. Yes, I know that Habr's audience is not like that; The article is addressed not so much to the Habrovites as their friends and acquaintances.
My preferred mail program is Thunderbird. Next, I base myself on the assumption that you use it. You need to install an add-on to Thunderbird called Enigmail. Do not worry: nothing complicated.
Go to the Enigmail site (do not pay attention to the English language of the site - if you have Thunderbird in Russian, then Enigmail will also be in Russian).
On the page you will see a well-marked link "Download Enigmail Now". Click on it with the right mouse button; in the menu that opens, left-click on the "Save Target As ..." command (or, depending on the browser you use, "Save link as ..." or similar; in both cases without quotes) and download the file without changing its name (remember where you downloaded it).Switch to Thunderbird.
(Note. Next, I present actions using the menu bar. The same functions are available by pressing the three-dash popup button just below the upper right corner of the window. Experienced users can easily figure it out. But if you are an inexperienced user and the menu bar is off, then I advise you to turn it on. To do this, click the mentioned button, then “Settings”, then “Menu Bar”.) Open the "Tools" menu, and in it "Add-ons".In the opened tab, click on the button with the wheel, in the opened menu select the item “Install add-on from file ...”. Point to the file you downloaded (just in case I remind you that the file name starts with enigmail- , the .xpi extension). You will be prompted; In the request window, click on the "Install Now" button. (If you suspect that this is a virus, then check with fifteen antiviruses ; if you understand English, then for complete certainty you can check with fifty-nine antiviruses .)
One more will appear in the list of installed add-ons, and the title of another menu will appear in the menu bar. The Add-ons Management tab can be closed.
Open the "Edit" menu, and in it "Settings". In the "Thunderbird Settings" window that opens, go to the "Privacy" tab.Make sure that the item “Allow messages to show content from the Internet” is turned off in the “Email content” section: if there is no tick in the corresponding box, leave it as it is, and if so, remove it. In the “Enigmail Junior Mode” section, select the “Force using S / MIME and Enigmail” item (the menu name “Enigmail / p≡p” will change to “Enigmail”).
Click on the "Close" button at the bottom of the "Thunderbird Settings" window. Close Thunderbird, wait a few seconds and run it again.
Open the "Enigmail" menu, and in it the "Key Manager".
The Enigmail Key Management window opens. Open the “View” menu and make sure that “Show keys to other people” is unchecked (and if checked, click on it to clear the check mark). Your keys may have been created automatically when installing Enigmail; If you see your name and email address in the "Name" column, skip the next paragraph (until the words "So you have"). To create keys, open the “Create” menu, then “New key pair”. The OpenPGP Key Generation window opens.Put a daw before the words “Without a password”, and after the words “The key expires in”, correct “5” to “1”. Carefully read the text at the bottom of the window and click on the "Create a key" button. Take care of other things; after completing the key creation, return to the Enigmail Key Management window (the OpenPGP Key Generation window will close by then).
So, you have a pair of keys. Yes, there are two of them: private key (eng. Private key ) and public key (eng. Public key ).
I suppose you understand the meaning of the words “private conversation” and “public statement”: the content of a private conversation should not be known by an outsider, but the content of a public statement should be known to a wide circle of people. The difference between a private key and a public key is the same: the private key should be hidden and not shown to anyone, and the public key can be published (these words are not accidentally rooted). The private key is also called the private or secret key, and the public key is called the public key.Right-click your key pair, in the menu that opens, left-click the "Create and save certificate of revocation" command. Choose a place to save (you can change the proposed file name to a more obvious one for you; for example, revoke-key.txt ) and click “Save”. A message will be displayed in English;
Here is his translation:
“The certificate of revocation has been successfully created. You can use it to invalidate your public key; for example, in case you lost your secret key. ”Again, right-click your key pair, in the menu that opens, left-click "Export keys to file". A small window will open asking “Do you want to include the private key in the saved OpenPGP key file?” Click the “Export Private Keys” button in this window; select a place to save (here you can also change the proposed file name to a more self-evident for you; for example, private-key.txt ) and click Save.
The message “Keys have been successfully saved” will be displayed; Click on the "Close" button.Hide the two files you just saved somewhere, where you can easily find them, and someone else is unlikely. For example, if in the depth of a table or cabinet you have a flash drive that you do not carry anywhere and on which you store important secret files, then transfer these two files to this flash drive.
Again, right-click your key pair, in the menu that opens, again, left-click the "Export keys to file" command. But this time, click the "Export only public keys" button; choose a place to save (here you can also change the proposed file name to a more self-evident for you; for example, public-key.txt ) and click “Save”. The message “Keys have been successfully saved” will be displayed; Click on the "Close" button. Unlike the previous two, this file is not required to hide.
So, the climax. Switch to the browser and go to Facebook. At the top edge of the page on the right, you see several icons. Click on the rightmost one, which looks like a small triangle pointing down. Move the pointer down and click the line with the word "Settings". On the next page on the left is the table of contents; Click the "Security and Login" line. Scroll to the end of the next page; in the bottom of the page is the group “Advanced settings”, in it, click on the line “Encrypted emails with notifications”.An input box appears. At the bottom of the page, above the “Save Changes” button, is the phrase “Download the Facebook public key here”, in which the word “here” is a link; right-click this link and select Copy Link.
Switch to the Enigmail Key Management window; open the “Edit” menu and in it “Import keys by URL”. In the prompt that appears, right-click in the input field, then select "Paste"; Click OK, OK again, and OK again. Again, right-click your key pair, in the menu that opens, left-click the "Copy public keys to clipboard" command.Switch to the browser; Right-click in the input field, then select "Paste." Scroll down the page; make sure that a check mark is placed next to the words “Use this public key to encrypt notifications that Facebook sends to your email address. address? ”(if not, put it). Click the "Save Changes" button.
Soon Facebook will send you a letter; Above the letter you will see: “The decrypted message; Nice signature from Facebook, Inc. ”.
The letter is in English. Here is the translation:
This is a letter to help you enable encrypted email notifications for your Facebook account.The string "Yes, encrypt notification emails sent to me from Facebook" (Yes, encrypt email notifications sent to me by Facebook) is a link; If you don’t change your mind, click here. Now the letters sent to you, Facebook will sign with your private key and encrypt with your public key.
If you prefer not to include encrypted email notifications from Facebook, you can simply ignore this message.
If you enable encrypted email notifications, Facebook will begin to encrypt the email notifications sent to you with your public key. These may include email notifications for account recovery.
BE CAREFUL: If in the future you will not be able to decrypt your email notifications to restore your account and at the same time lose access to Facebook, you may not be able to restore your Facebook account.
To continue enabling email notification encryption, please click this link:
Yes, encrypt email notifications sent to me by Facebook.
I have one more good news for you: not only Facebook can sign and encrypt letters. Any of your friends can send you a letter signed with his private key and encrypted with your public key - of course, if he has Enigmail (or another program with such functionality) and your public key; Only you can read this letter. In the same way, you can send someone a letter signed with your private key and encrypted with its public key. But about this - another time.
Source: https://habr.com/ru/post/444316/
All Articles