Note: I have concerns about potential attack vectors, which could allow Facebook to steal private keys from the bookmarklet. This would compromise the very goal of fb-sec: total confidentiality of your messages. Therefore, unfortunately, this project is discontinued.
Private messages should be private. Even when sent through Facebook. We aim to accomplish just that.
To obtain your personal fb-sec bookmarklet and public key, visit the fb-sec homepage and follow the instructions there. Basically:
- Install the bookmarklet by dragging the key symbol to the bookmarks bar and copy the public key from the text field
- Go to your Facebook profile's "About" page
- Paste the public there, so that others can send you encrypted messages
- Before reading/writing messages on Facebook, click the bookmark
The core principle of fb-sec is its use of public-key cryptography. In short:
- Every user posesses a pair of exactly 2 keys:
- a private key, which has to be kept secret,
- and a public key, which can be published anywhere.
- A message encrypted with a user's public key, can only be decrypted with the corresponding private key.
This means, that not even Facebook (nor anyone else except the person you're writing to) can read your messages.
Currently fb-sec uses the RSA asymmetric key algorithm. Keys are generated in your browser, so no one else has knowledge about your personal key pair.
Before any message is sent to a Facebook server, fb-sec encrypts it with the public keys of your friends. Their public keys are simply published on their Facebook profile's info page and thus accessible to the bookmarklet.
Similarly, messages sent to you and encrypted with your own public key, can only be read by you alone.
Because your private key is stored inside the fb-sec bookmark, it is crucial that nobody except you ever has access to your bookmark data.
When you are signed in to Google Chrome, you should not sync your bookmarks.
If you still want to synchronize, at least make sure to encrypt all synced data using a custom passphrase. Know however, that your best option may be to not sync bookmarks at all.
- Recommended RSA key size: Wikipedia RSA (algorithm) - Integer factorization and RSA problem and Technical Report by Robert D. Silverman, RSA Laboratories
- Recommended value for the public exponent "e": Wikipedia RSA (algorithm) - RSA Faulty Key Generation