Facebook: 'Don't worry, your posts are SECURE with us'

Never mind PRISM, you've got HTTPS by default

Protecting against web application threats using SSL

Facebook has announced that it has finished migrating its users to secure browsing, with all 1.15 billion active user accounts now accessing the site over encrypted HTTPS by default.

The social network first offered secure browsing as an option in January 2011, and then slowly began making it the default in various regions. It flipped the switch for North American users in November 2012, but it took several more months for it to follow suit for the rest of the world.

"Now that https is on by default, virtually all traffic to www.facebook.com and 80% of traffic to m.facebook.com uses a secure connection," Facebook engineer Scott Renfro wrote in a blog post on Wednesday. "Our native apps for Android and iOS have long used https as well."

The migration process took as long as it did, Renfro explained, because switching all of Facebook over to secure browsing wasn't as simple as just switching the URL protocol from HTTP to HTTPS.

There were a variety of up-front engineering puzzles to solve, such as how to ensure that Facebook's authentication cookies were only visible over secure connections, and how to upgrade users to secure connections "in flight" if they happened to navigate to a Facebook page from an insecure link.

Zuck & Co. also needed to give its application-development partners time to upgrade their apps to support HTTPS, because insecure third-party apps would stop working if they were embedded in secure Facebook pages. Typically, developers were given 150 days to switch their apps over.

And then there was the problem of mobile devices that lacked full support for HTTPS. Because Facebook dare not scare away mobile users – mobile ads made up 41 per cent of its ad revenue in its most recent quarter – there needed to be a way to downgrade the user's connection to HTTP on phones that couldn't handle the encryption.

But the biggest issue, Renfro said, was performance. Secure sessions require extra chitchat between client and server, which can bog down connections if you're in a part of the world where network conditions are poor. To help alleviate the problem, Facebook has been deploying custom load balancers around the world to help route traffic to its data centers, while simultaneously improving the efficiency of its secure session handshaking.

The move sees Facebook join a growing number of companies that have made secure connections standard for their online services. Google made HTTPS the default for all web searches in 2011, for example, and Twitter switched to always-on encryption the following year.

But there are still additional hurdles ahead. Like many other companies, Facebook has committed to switching to 2048-bit encryption keys for additional security. It also hopes to switch to elliptic-curve cryptography algorithms in the near future, which are more computationally efficient, and to implement stricter session controls as it phases out the option to opt out of HTTPS.

"Turning on https by default is a dream come true, and something Facebook's Traffic, Network, Security Infrastructure, and Security teams have worked on for years," Renfro wrote. "We're really happy with how much of Facebook's traffic is now encrypted and are even more excited about the future changes we're preparing to launch." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.