This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Facebook deploys HTTPS for all users and details further security plans

Share this article:
Facebook follows Google's lead on user privacy settings
Facebook follows Google's lead on user privacy settings

Facebook has deployed Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL), for all users.

According to a blog post by Facebook software engineer Scott Renfro, after it had first announced the plans in early 2011, and confirmed it in November 2012, all users have been switched over after a third enabled the feature following its introduction.

In the future, the website will also implement HTTP Strict TransportSecurity (HSTS) to instruct a user's browser to interact with a site using only https connections.

While he admitted that it faced some challenges in implementing HTTPS, particularly with so much of Facebook relying on third party applications, Renfro said that virtually all traffic to Facebook and 80 per cent of traffic to the mobile site will use a secure connection. “Our native apps for Android and iOS have long used https as well,” he said.

“Some mobile phones and mobile carrier gateways don't fully support https. While we're working with the vendors of these products, we didn't want to leave https off entirely for affected users. Instead, we only downgrade the session on an ineligible device while continuing to use https on browsers and phones where https is properly supported.

“This downgrade process leverages the same in-flight migration logic as https upgrades. We've seen issues only with some feature phones; desktop browsers and smartphones all seem to work fine.”

Looking forward, Renfro said that it is also planning to deploy 2048-bit RSA keys, Elliptic Curve Cryptography and related Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange, as well as certificate pinning for specifying the certificate authorities that a site actually uses.

Speaking at last year's RSA Conference Europe, Wikipedia founder Jimmy Wales called for all websites to move to using HTTPS everywhere as "in the longer term, so [they have] secure access all of the time".

He said: “I made sure my Facebook was secure though, we are moving in a direction where we will use encryption by default so let's assume that your connection to a site will be encrypted and the general public know it but do they understand it?

“If you give people the choice between a browser that is more secure, then they will choose the one that is more secure.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

New TorrentLocker ransomware trades on fear of CryptoLocker

New TorrentLocker ransomware trades on fear of CryptoLocker

A new breed of ransomware called TorrentLocker that mimics more feared versions like CryptoLocker and CryptoWall has been discovered targeting users in Australia.

UK Ministry of Defence launches £2 million cyber defence competition

UK Ministry of Defence launches £2 million cyber ...

The British government has kicked-off a £2 million contest to find new ways to protect the Ministry of Defence (MoD) computer systems from cyber-attacks using automated threat response.

GCHQ tries to hack every server in 27 countries

GCHQ tries to hack every server in 27 ...

British spy agency GCHQ has been scanning every public-facing server in 27 countries for years to find any weak systems it can hack, according to the latest media reports.