tl;dr — 1) Facebook genuinely care about security and privacy, you may this is bonkers, but they do. 2) PGP is cool, and FB recognise this. 3) Enabling PGP encryption for email enables an end-to-end-secure (strictly: server-to-eyeballs-secure) means of communication. (cont…)
-
-
Replying to @AlecMuffett @Pinboard
4) Having E2E Security for Email is especially cool, because it protects notifications of sensitive content (eg: message fragments) -AND- account recovery dialogues; this latter is an especially useful for additional hardening of your account against hijack.
2 replies 1 retweet 8 likes -
Replying to @AlecMuffett @Pinboard
So, it seemed like a great idea to: (a) help get more people using PGP and (b) protect peoples' communication and (c) offer more protection for account holders, plus (d) it was cool, and fun to build. That's why. Any more questions?
2 replies 1 retweet 12 likes -
Replying to @AlecMuffett @Pinboard
ps: 1) consider the number of email providers that get popped 2) consider the number of passwords that are reused 3) consider how beneficial it might be to have a private key stashed on a laptop, protecting your account recovery flow 4) wonder why you haven't enabled it already?
1 reply 1 retweet 2 likes -
Replying to @AlecMuffett
The setup process for adding your PGP key to Facebook encourages you to add your mobile phone number, which overall makes your account less secure.
1 reply 0 retweets 2 likes -
Replying to @Pinboard
"HEY, FACEBOOK! I LOST MY PGP KEY AND MY ACCOUNT PASSWORD! CAN YOU HELP?" "Did you set up an alternative form of 2FA? Like SMS or something?" "NO, BECAUSE I AM SECRETLY EDWARD SNOWDEN AND HAVE A THREAT MODEL. OR SOMETHING." "Oops."
4 replies 1 retweet 7 likes -
Replying to @AlecMuffett
Facebook actually has a fallback authentication mechanism that doesn't make you more vulnerable ('Trusted Friends'), but it encourages you to add SMS. Sad!
1 reply 0 retweets 1 like -
Replying to @Pinboard
In case this little role-play is not clear: using PGP to secure your account is not some half-assed thing; if you lose both your PGP key AND ALSO your Facebook password, you are _screwed_; hence the push towards backup 2FA. I am not sure what the minimum spec is at the moment.
1 reply 0 retweets 1 like -
Replying to @AlecMuffett
My point is the backup 2FA it pushes you to use more than negates the security advantage of having this feature in the first place. Additional bonus point: ALL CAPS mockery may not be the most effective way for us to discuss this
1 reply 0 retweets 1 like -
Replying to @Pinboard
"OMG! Edward! Really? Can I have your autograph?" We can leave the discussion of the ease of mounting a SS7 attack against everyday users, versus the likelihood that anyone who -really- might face an SS7 attack not choosing "Trusted Contacts", until morning my time.
3 replies 0 retweets 0 likes
I work with Congressional campaigns.
-
-
Replying to @Pinboard
Well, I'm not getting paid for this shit, and I'm not invested in fixing _you_, so I'm just in it for the lulz. If you wanna take the "ZOMG SMS IS S)OO INSECURE BECAUSE SS7"-tack, be my guest, but I'll call that "idealist to the point of making users' lives overcomplicated".
2 replies 0 retweets 1 like -
Replying to @AlecMuffett @Pinboard
You have politicians to deal with, then address their threat model proportionately and stop pretending that everyone has to hit that bar.
1 reply 0 retweets 0 likes - Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.