Original URL: http://www.theregister.co.uk/2013/08/01/facebook_https_by_default/

Facebook: 'Don't worry, your posts are SECURE with us'

Never mind PRISM, you've got HTTPS by default

By Neil McAllister

Posted in Security, 1st August 2013 21:09 GMT

Facebook has announced that it has finished migrating its users to secure browsing, with all 1.15 billion active user accounts now accessing the site over encrypted HTTPS by default.

The social network first offered secure browsing as an option in January 2011, and then slowly began making it the default in various regions. It flipped the switch for North American users in November 2012, but it took several more months for it to follow suit for the rest of the world.

"Now that https is on by default, virtually all traffic to www.facebook.com and 80% of traffic to m.facebook.com uses a secure connection," Facebook engineer Scott Renfro wrote in a blog post on Wednesday. "Our native apps for Android and iOS have long used https as well."

The migration process took as long as it did, Renfro explained, because switching all of Facebook over to secure browsing wasn't as simple as just switching the URL protocol from HTTP to HTTPS.

There were a variety of up-front engineering puzzles to solve, such as how to ensure that Facebook's authentication cookies were only visible over secure connections, and how to upgrade users to secure connections "in flight" if they happened to navigate to a Facebook page from an insecure link.

Zuck & Co. also needed to give its application-development partners time to upgrade their apps to support HTTPS, because insecure third-party apps would stop working if they were embedded in secure Facebook pages. Typically, developers were given 150 days to switch their apps over.

And then there was the problem of mobile devices that lacked full support for HTTPS. Because Facebook dare not scare away mobile users – mobile ads made up 41 per cent of its ad revenue in its most recent quarter – there needed to be a way to downgrade the user's connection to HTTP on phones that couldn't handle the encryption.

But the biggest issue, Renfro said, was performance. Secure sessions require extra chitchat between client and server, which can bog down connections if you're in a part of the world where network conditions are poor. To help alleviate the problem, Facebook has been deploying custom load balancers around the world to help route traffic to its data centers, while simultaneously improving the efficiency of its secure session handshaking.

The move sees Facebook join a growing number of companies that have made secure connections standard for their online services. Google made HTTPS the default for all web searches in 2011, for example, and Twitter switched to always-on encryption the following year.

But there are still additional hurdles ahead. Like many other companies, Facebook has committed to switching to 2048-bit encryption keys for additional security. It also hopes to switch to elliptic-curve cryptography algorithms in the near future, which are more computationally efficient, and to implement stricter session controls as it phases out the option to opt out of HTTPS.

"Turning on https by default is a dream come true, and something Facebook's Traffic, Network, Security Infrastructure, and Security teams have worked on for years," Renfro wrote. "We're really happy with how much of Facebook's traffic is now encrypted and are even more excited about the future changes we're preparing to launch." ®