Messenger Privacy Guard
Enable end-to-end encryption on Messenger.com using GPG.
This project is the result of Team Floki's 24 hour hackaton attendance at Copenhacks. As such, the project is currently just a Proof of Concept. Encrypted conversations work and data is encrypted and decrypted on the fly. However, there are no guarantees regarding the security and validity of the solution. Please remember to be careful when dealing with sensitive data.
This userscript currently isn't self contained - in order to communicate with your local GPG keychain, a GPG API server is needed, as well as some local set-up.
To use this project, you need to have a recent version of GPG, NodeJS and NPM installed.
Your browser needs to be able to load userscripts. We've tested with Greasemonkey and Tampermonkey on Firefox and Chrome.
Cloning the project
cd mpg; npm install;
Starting the HTTPS proxy
Due to Facebook's Content Security Policy, scripts running on Messenger.com can only send AJAX requests to certain whitelisted domains and all communication must be done over HTTPS. In order to get around this, we currently use a simple HTTPS proxy.
To set everything up, you need to do the following:
pgp.messenger.com points to 127.0.0.11. Edit your hosts file so that
This is neccessary to get around the CSP restriction, as domains *.messenger.com are allowed.
To do this, open
/etc/hosts (on OSX and Linux) and add the following line:
2. Start the HTTPS proxy server
cd mpg; node https_proxy.js;
3. Accept or import the proxy SSL certificate
If you now open https://pgp.messenger.com in your browser, you should get a security error saying that the certificate is not trusted. On Firefox, you should be able to permanently add an exception for this domain. For this to work in Chrome, you need to import the page's SSL certificate.
4. Start the GPG API server
In order for the userscript to communicate with your local GPG keychain, we've built a simple API server which provides encryption and decryption functionalities. You can start it with:
cd mpg; node app.js;
5. Add the userscript to your browser
After installing the appropriate extension, import the file messenger.js as a new userscript.
6. Open Messenger.com and communicate!
After having everything set up correctly, you should now be able to open Messenger.com and exchange encrypted messages. Remember - in order to secure your communications, both parties need to have each other's keys, locally signed and trusted.
The web component is a modification of a template by HTML5 UP which was made available under CCA 3.0.