Facebook transitions to secure browsing by default for everyone

Share this article:

Facebook has completed its migration to secure browsing by default for all users, a years-long initiative that other online-based organizations have also implemented

'HTTPS', symbolized by the padlock in the left end of the address bar, is an encrypted protocol that prevents the unauthorized hijacking of private sessions and data.

The massively popular social network introduced secure browsing – using Transport Layer Security (TLS) to make web communications more secure – as an option in 2011 and saw a steady increase in adopters before it started actively migrating users to HTTPS by default toward the beginning of this year.

The migration to default secure browsing presented some challenges along the way, admitted software engineer Scott Renfro in a blog post.

Performance issues were perhaps the greatest challenges the engineering team at Facebook was able to overcome when making the transition to secure browsing, said Renfro. He explained HTTPS at least doubles the amount of “round trips” necessary for a web browser to communicate with Facebook servers.

“When combined with an already-slow connection, this additional latency on every request could be very noticeable and frustrating," he wrote. "Thankfully, we've been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes."

Renfro added that some mobile phones and mobile carrier gateways do not yet fully support HTTPS, so users will experience a session downgrade in some instances.

He said there is ongoing work that includes moving to 2048-bit RSA keys, elliptic curve cryptography, elliptic curve ephemeral Diffie-Hellman (ECDHE) key exchange, certificate pinning and HTTP Strict Transport Security (HSTS). All are meant to create for a safer web browsing experience.

“We're really happy with how much of Facebook's traffic is now encrypted and are even more excited about the future changes we're preparing to launch,”  he wrote.

A Facebook spokesman deferred a request for comment to the blog post by Renfro.

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.