Enable end-to-end encryption on Messenger.com using GPG.
This userscript currently isn't self contained - in order to communicate with your local GPG keychain, a GPG API server is needed, as well as some local set-up.
To use this project, you need to have a recent version of GPG, NodeJS and NPM installed.
Your browser needs to be able to load userscripts. We've tested with Greasemonkey and Tampermonkey on Firefox and Chrome.
cd mpg;
npm install;
Due to Facebook's Content Security Policy, scripts running on Messenger.com can only send AJAX requests to certain whitelisted domains and all communication must be done over HTTPS. In order to get around this, we currently use a simple HTTPS proxy.
To set everything up, you need to do the following:
- Edit your hosts file so that pgp.messenger.com points to 127.0.0.1
This is neccessary to get around the CSP restriction, as domains *.messenger.com are allowed.
To do this, open /etc/hosts (on OSX and Linux) and add the following line:
127.0.0.1 pgp.messenger.com
- Start the HTTPS proxy server
cd mpg;
node https_proxy.js
- Accept or import the proxy SSL certificate
If you now open https://pgp.messenger.com in your browser, you should get a security error saying that the certificate is not trusted. On Firefox, you should be able to permanently add an exception for this domain. For this to work in Chrome, you need to import the page's SSL certificate.
- Start the GPG API server
In order for the userscript to communicate with your local GPG keychain, we've built a simple API server which provides encryption and decryption functionalities. You can start it with:
cd mpg;
node app.js;
- Add the userscript to your browser
The easiest way to do this is to use Greasemonkey for Firefox or Tampermonkey for Chrome.
After installing the appropriate extension, import the file messenger.js as a new userscript.
- Open Messenger.com and communicate!
After having everything set up correctly, you should now be able to open Messenger.com and exchange encrypted messages. Remember - in order to secure your communications, both parties need to have each other's keys, locally signed and trusted.