Skip to content
Naked Security Naked Security

Facebook tests end-to-end encrypted Secret Conversations on Messenger

Facebook swears it can't read the messages unless a conversation gets reported. Users can also set a timer for message self-destruct.

Need to discuss private information – say, that odd rash – with friends and family? Chat with your accountant about your financials or your wonky bookkeeping methods? Sext yourself into a lather?

Facebook’s working on it: the company announced on Friday that it’s testing end-to-end encrypted messaging as an opt-in service in Messenger.

It’s also trialling the Snapchat-ish ability to make the messages disappear: users will be able to set a timer to control how long each message remains visible.

So-called “Secret Conversations” will be readable only on the sender’s and the receiver’s devices. In other words, you can’t hop around from PC to phone to tablet and read the same message on any of the devices.

Nor can Facebook itself read the messages, it promises.

From the press release:

[The] one-to-one secret conversations in Messenger… will be end-to-end encrypted and… can only be read on one device of the person you’re communicating with. That means the messages are intended just for you and the other person – not anyone else, including us.

That comes with a caveat, though: Facebook will, in fact, be able to read messages if a party in the conversation reports it. From its technical report on Secret Conversations:

Facebook will never have access to plain text messages unless one participant in a secret conversation voluntarily reports the conversation.

But generally, Facebook won’t be able to read the encrypted conversations. That’s because the encryption happens right on a given device, using keys generated specifically for each new message.

Secret Conversations is built on the Signal protocol from Open Whisper Systems: the same protocol that WhatsApp relies on for end-to-end encryption and the same one that Google used in its new Allo end-to-end encrypted messaging app.

Cybersecurity expert Professor Alan Woodward, from Surrey University, told the BBC that Signal is well-tested and well-regarded in the cryptography community: he said if he had to choose from current messaging systems, he’d be looking for one based on Signal.

He noted, though, that Facebook hasn’t been particularly forthcoming with details of how Signal was implemented:

[Facebook’s technical report was] not as complete as many would like… I’d like to know more about exactly how it is implemented, or at least know that those who can analyze such systems have scrutinized the code.

Facebook says Messenger’s using the Signal protocol implementation currently available in open-source libraries for Android and iOS, but it’s added new abuse-reporting features to what’s in use now by other platforms.

Not all Messenger conversations will have end-to-end encryption. As was rumored last month, it’s opt-in: a choice that dissatisfied some in the security community.

Facebook put some thought into that decision, it says: as it is, Secret Conversations are going to be barebones, stripped of rich content like GIFs, videos, the ability to make payments, or other popular Messenger features.

From Facebook:

Starting a secret conversation with someone is optional. That’s because many people want Messenger to work when you switch between devices, such as a tablet, desktop computer or phone. Secret conversations can only be read on one device and we recognize that experience may not be right for everyone.

Facebook’s running tests on a limited basis, adding that Secret Conversations would become more widely available over the next few months.

14 Comments

“Nor can Facebook itself read the messages, it promises.”

This made my day hahaha.

The question I’m about to ask is off-topic, but I’m going to ask, anyway. Here goes:

Facebook texts me a 5 digit code after I enter my cell phone number and my 40+ character-letter-number password. Once I enter the code, Facebook asks me if I want it to remember my browser (I always choose No). I update my password once every few months. I log out of Facebook when I’m done with a session. Then, I clear my browsing history and close my browser.

My cell phone has no access to the internet and no one has access to the phone except for me. No one has access to my computer except for me.

Despite the above precautions, my Facebook account gets hacked once every two or three months on average. Someone changes my password some time during the night.

I suspect a certain individual (whom I have never personally met and with whom I have not communicated in any way in several years) who lives in another state is hacking my account, but I have no proof. This individual hacked my computer for 2 1/2 years before I realized he had captured every one of my keystrokes during the intervening time.

I am finding it impossible to get this sadistic person out of my life.

So, how is he hacking into my Facebook account?

More importantly, what can I do to prevent my Facebook account from being hacked yet again — other than to delete everything in my account and to deactivate it? What am I not doing that I should be doing in order to adequately secure my account?

If they had a keylogger running on you for 2.5 years then they know a lot more than your Facebook password. If you’re consistently being rehacked, consider how similar your new passwords are to the old (including any you used for any accounts during that 2.5 year span). If there is in fact someone who is doing this to continually target you, the best thing you can likely do is to get a completely fresh device, start using a password manager to generate truly random passwords (for *all* your accounts), and then see if the abuse continues at that point.

Oh, also how could I forget about our good friend 2 factor authorization? Add that too so at least the next time they manage to crack your password you’ll know immediately

Observer, unfortunately (for me) I’ve already been there and done that.

For years now, I have used 2FA for my Facebook account and for all of my email addresses and some other accounts, thanks to a collective push from Naked Security’s blog.

I use a long letter-number-character unique password for each of my online accounts in conjunction with 2FA codes that are sent to my phone (which has no access to the internet).

I started to use a brand new computer and changed all of my passwords once I realized the person (who I mentioned in my previous comment, above) had stalked me nonstop for the previous 2 1/2 years.

I uninstall all my programs, wipe my hard drive, and then reinstall my programs once every few months. I change my passwords once every few months, too.

Even so, this person continues to hack my Facebook account, on average, once every two to three months. He administers a Facebook group page that I had clicked Like and posted inoffensive comments on many years ago. To this day, he occasionally clicks Like or comments on something that I posted or commented on years ago. By doing so, he drops me cryptic hints that he is still watching me. This usually happens right around the same time that someone changes my Facebook password.

Facebook notifies me when someone has accessed my account. Problem there is, the aforesaid online stalker changes my password at night (e.g., 3 a.m.). This gives him several hours to access my account and to download all of my information before I am even awake to log in and find out that I am locked out of my own account.

I am reluctant to close my Facebook account or my other online accounts. If I do, I suspect the stalker will assume my accounts and post and send offensive and/or weird comments and photos in my name.

As I said before, I have never personally met this man. To the best of my knowledge, I do not personally know any of his relatives or his acquaintances. Do bullies actually have friends? I am a stranger to him and he is a stranger to me. Even so, he seems to enjoy having the sadistic power to control another person.

So, back to my original questions:

1. How is this individual hacking my Facebook account, despite all many precautions I have taken and continue to take?; and

2. More importantly, what can I do that I am not doing to prevent my online accounts (Facebook and otherwise) from being hacked — apart from deactivating them?

What the heck??!! My boyfriend saw the secret conversation deal on my messenger and now he thinks I’m cheating or something! Facebook or whoever set this up needs to make it known that this does not mean I have hidden conversations on my phone!!

If a person obtains my password, would this person still be able to view my secret conversations on a different device or phone, even with my password and other account information?

I agree even tho they may have trust issues who needs more stuff like this to complicate life!!! There is enough to worry about and yall keep making it easier to lie,hide cheat and allow ways for these things to happen even tho people should have enough respect to not do it they will if givin more and more options!!!!

So what has to be done after getting completely locked out of the whole account? Anything at this point will work I

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?