Facebook has completed its migration to secure browsing by default for all users, a years-long initiative that other online-based organizations have also implemented
‘HTTPS’, symbolized by the padlock in the left end of the address bar, is an encrypted protocol that prevents the unauthorized hijacking of private sessions and data.
The massively popular social network introduced secure browsing – using Transport Layer Security (TLS) to make web communications more secure – as an option in 2011 and saw a steady increase in adopters before it started actively migrating users to HTTPS by default toward the beginning of this year.
The migration to default secure browsing presented some challenges along the way, admitted software engineer Scott Renfro in a blog post.
Performance issues were perhaps the greatest challenges the engineering team at Facebook was able to overcome when making the transition to secure browsing, said Renfro. He explained HTTPS at least doubles the amount of “round trips” necessary for a web browser to communicate with Facebook servers.
“When combined with an already-slow connection, this additional latency on every request could be very noticeable and frustrating,” he wrote. “Thankfully, we’ve been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes.”
Renfro added that some mobile phones and mobile carrier gateways do not yet fully support HTTPS, so users will experience a session downgrade in some instances.
He said there is ongoing work that includes moving to 2048-bit RSA keys, elliptic curve cryptography, elliptic curve ephemeral Diffie-Hellman (ECDHE) key exchange, certificate pinning and HTTP Strict Transport Security (HSTS). All are meant to create for a safer web browsing experience.
“We’re really happy with how much of Facebook’s traffic is now encrypted and are even more excited about the future changes we’re preparing to launch,” he wrote.
A Facebook spokesman deferred a request for comment to the blog post by Renfro.