Facebook to roll out HTTPS by default to all users

The connections of all Facebook users with the website will be encrypted by default

Facebook started encrypting the connections of its North American users by default last week as part of a plan to roll out always-on HTTPS (Hypertext Transfer Protocol Secure) to its entire global user base.

For the past several years, security experts and privacy advocates have called on Facebook to enable always-on HTTPS by default because the feature prevents account hijacking attacks over insecure networks and also stops the governments of some countries from spying on the Facebook activities of their residents.

Despite the feature's security benefits, Facebook announced the start of its HTTPS roll-out in a post on its Developer Blog last week, and not through its security page or its newsroom.

"As announced last year, we are moving to HTTPS for all users," Facebook platform engineer Shireesh Asthana said Thursday in a blog post that also described many other platform changes and bug fixes relevant to developers. "This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world."

It's not clear when exactly the roll-out for the rest of the world will start. Facebook did not immediately respond to a request for comment.

The Electronic Frontier Foundation (EFF), a digital rights organizations, welcomed the move via Twitter on Monday describing it as a "huge step forward for encrypting the web."

The EFF has long been a proponent of always-on HTTPS adoption. In collaboration with the Tor Project, creator of the Tor anonymizing network and software, the EFF maintains a browser extension called HTTP Everywhere that forces always-on HTTPS connections by default on websites that only support the feature on an opt-in basis. Twitter, Gmail and other Google services have HTTPS already turned on by default.

Facebook launched always-on HTTPS as an opt-in feature for users in Jan. 2011. However, the initial implementation was lacking because whenever users launched a third-party application that didn't support HTTPS on the website, the entire Facebook connection was switched back to HTTP.

In order to address this problem, in May 2011 Facebook asked all platform application developers to acquire SSL certificates and make their apps HTTPS-compatible by Oct. 1 that same year.

It's not clear why it took the company another year after that deadline expired in order to finally be able to offer always-on HTTPS by default.

Ivan Ristic, director of engineering at security firm Qualys, a company that monitors the HTTPS implementations on the world's most popular websites through a project called SSL Pulse, believes that it was harder for Facebook to implement this feature given its ecosystem of millions of third-party apps and websites that integrate with its platform.

The task of implementing HTTPS across one's own infrastructure is manageable, Ristic said Tuesday. However, when you have to deal with third-party content providers things become more complicated and require more time, he said.

Having full-session HTTPS turned on by default will have an impact on latency, but mainly when a browser first connects to a website and negotiates the SSL connection, Ristic said. However, that impact is probably going to be unnoticeable, he said.

Ristic believes that the security benefits of HTTPS are much more important and are definitely worth the latency costs. He also hopes to see other websites implement always-on HTTPS by default as well, even those that don't deal with particularly valuable accounts from an attacker's perspective, such as Wikipedia.

Using SSL is the only way to ensure the integrity of your content, Ristic said, adding that some ISPs and wireless network providers are already in the habit of inserting ads and other content into websites that don't use HTTPS.

However, the SSL expert doesn't believe that Facebook's switch to HTTPS by default will necessarily determine other websites to implement the feature as well. It's the users who need to pressure website operators into securing their connections with HTTPS at all times, he said.

Ristic echoed the EFF's opinion that Facebook's move is a great step forward for SSL adoption. However, the next step for Facebook is to implement HTTP Strict Transport Security (HSTS), he said.

HSTS allows HTTPS-enabled websites to instruct browsers that any attempts to initiate a connection with them over HTTP should not be allowed. This feature was designed to prevent a type of attack known as SSL stripping that allows an attacker positioned between a website and a user to force a connection downgrade from HTTPS to HTTP.

Qualys' SSL Server Test rates Facebook's current HTTP implementation with grade A and a score of 87 out of 100 points.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesonline safetysecuritysocial networkingencryptioninternetdata protectionprivacyElectronic Frontier FoundationqualysFacebook

More about EFFElectronic Frontier FoundationFacebookGoogleQualysWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place