Facebook: 'Don't worry, your posts are SECURE with us'

Never mind PRISM, you've got HTTPS by default

SANS - Survey on application security programs

Facebook has announced that it has finished migrating its users to secure browsing, with all 1.15 billion active user accounts now accessing the site over encrypted HTTPS by default.

The social network first offered secure browsing as an option in January 2011, and then slowly began making it the default in various regions. It flipped the switch for North American users in November 2012, but it took several more months for it to follow suit for the rest of the world.

"Now that https is on by default, virtually all traffic to www.facebook.com and 80% of traffic to m.facebook.com uses a secure connection," Facebook engineer Scott Renfro wrote in a blog post on Wednesday. "Our native apps for Android and iOS have long used https as well."

The migration process took as long as it did, Renfro explained, because switching all of Facebook over to secure browsing wasn't as simple as just switching the URL protocol from HTTP to HTTPS.

There were a variety of up-front engineering puzzles to solve, such as how to ensure that Facebook's authentication cookies were only visible over secure connections, and how to upgrade users to secure connections "in flight" if they happened to navigate to a Facebook page from an insecure link.

Zuck & Co. also needed to give its application-development partners time to upgrade their apps to support HTTPS, because insecure third-party apps would stop working if they were embedded in secure Facebook pages. Typically, developers were given 150 days to switch their apps over.

And then there was the problem of mobile devices that lacked full support for HTTPS. Because Facebook dare not scare away mobile users – mobile ads made up 41 per cent of its ad revenue in its most recent quarter – there needed to be a way to downgrade the user's connection to HTTP on phones that couldn't handle the encryption.

But the biggest issue, Renfro said, was performance. Secure sessions require extra chitchat between client and server, which can bog down connections if you're in a part of the world where network conditions are poor. To help alleviate the problem, Facebook has been deploying custom load balancers around the world to help route traffic to its data centers, while simultaneously improving the efficiency of its secure session handshaking.

The move sees Facebook join a growing number of companies that have made secure connections standard for their online services. Google made HTTPS the default for all web searches in 2011, for example, and Twitter switched to always-on encryption the following year.

But there are still additional hurdles ahead. Like many other companies, Facebook has committed to switching to 2048-bit encryption keys for additional security. It also hopes to switch to elliptic-curve cryptography algorithms in the near future, which are more computationally efficient, and to implement stricter session controls as it phases out the option to opt out of HTTPS.

"Turning on https by default is a dream come true, and something Facebook's Traffic, Network, Security Infrastructure, and Security teams have worked on for years," Renfro wrote. "We're really happy with how much of Facebook's traffic is now encrypted and are even more excited about the future changes we're preparing to launch." ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.