Facebook transitions to secure browsing by default for everyone

Share this article:

Facebook has completed its migration to secure browsing by default for all users, a years-long initiative that other online-based organizations have also implemented

'HTTPS', symbolized by the padlock in the left end of the address bar, is an encrypted protocol that prevents the unauthorized hijacking of private sessions and data.

The massively popular social network introduced secure browsing – using Transport Layer Security (TLS) to make web communications more secure – as an option in 2011 and saw a steady increase in adopters before it started actively migrating users to HTTPS by default toward the beginning of this year.

The migration to default secure browsing presented some challenges along the way, admitted software engineer Scott Renfro in a blog post.

Performance issues were perhaps the greatest challenges the engineering team at Facebook was able to overcome when making the transition to secure browsing, said Renfro. He explained HTTPS at least doubles the amount of “round trips” necessary for a web browser to communicate with Facebook servers.

“When combined with an already-slow connection, this additional latency on every request could be very noticeable and frustrating," he wrote. "Thankfully, we've been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes."

Renfro added that some mobile phones and mobile carrier gateways do not yet fully support HTTPS, so users will experience a session downgrade in some instances.

He said there is ongoing work that includes moving to 2048-bit RSA keys, elliptic curve cryptography, elliptic curve ephemeral Diffie-Hellman (ECDHE) key exchange, certificate pinning and HTTP Strict Transport Security (HSTS). All are meant to create for a safer web browsing experience.

“We're really happy with how much of Facebook's traffic is now encrypted and are even more excited about the future changes we're preparing to launch,”  he wrote.

A Facebook spokesman deferred a request for comment to the blog post by Renfro.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.