All Facebook users get secure browsing by default
Posted on 01 August 2013.
After having introduced secure browsing as an option in 2011, and having begun rolling out always-on HTTPS by default for users in North America late last year, Facebook is finally making it the default option for all users.

The feature makes sure that the information sent by the users / browsers to the company servers is always sent via the Transport Layer Security (TLS) cryptographic protocol, making it more secure if intercepted.

According to Facebook software engineer Scott Renfro, when the feature was first introduces two years ago, more that a third of users had enabled it immediately despite the fact that it could slow down their Facebook use.

"We've focused on making it faster throughout the world and improving its compatibility with platform applications," says Renfro, and adds that practically all traffic directed to the Facebook main page, as well as some 80 percent of that directed to its mobile equivalent, now uses a secure connection.

He also took the time to explain a bit about the difficulties they encountered while making all of this possible. "Switching to https is more complicated than it might seem. It's not simply a matter of redirecting from to," he says.

Among the problems that had to be solved were a few regarding authentication and indicator cookies, referrer headers, and migration. Also, third-party platform application developers had to upgrade their apps to support https.

They also had to resolve performance problems.

"For example, if you're in Vancouver, where a round trip to Facebook's Prineville, Oregon, data center takes 20ms, then the full handshake only adds about 40ms, which probably isn't noticeable. However, if you're in Jakarta, where a round trip takes 300ms, a full handshake can add 600ms. When combined with an already slow connection, this additional latency on every request could be very noticeable and frustrating," he explains. "Thankfully, we've been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes."

Finally, he announced a couple of changes they are still working on, among which is the implementation of a type of cryptographic key exchange that will ensure Perfect Forward Secrecy, and the upgrading of their cryptographic RSA keys from 1048-bit to 2048-bit ones by the end of the year.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th