This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Facebook deploys HTTPS for all users and details further security plans

Share this article:
Facebook follows Google's lead on user privacy settings
Facebook follows Google's lead on user privacy settings

Facebook has deployed Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL), for all users.

According to a blog post by Facebook software engineer Scott Renfro, after it had first announced the plans in early 2011, and confirmed it in November 2012, all users have been switched over after a third enabled the feature following its introduction.

In the future, the website will also implement HTTP Strict TransportSecurity (HSTS) to instruct a user's browser to interact with a site using only https connections.

While he admitted that it faced some challenges in implementing HTTPS, particularly with so much of Facebook relying on third party applications, Renfro said that virtually all traffic to Facebook and 80 per cent of traffic to the mobile site will use a secure connection. “Our native apps for Android and iOS have long used https as well,” he said.

“Some mobile phones and mobile carrier gateways don't fully support https. While we're working with the vendors of these products, we didn't want to leave https off entirely for affected users. Instead, we only downgrade the session on an ineligible device while continuing to use https on browsers and phones where https is properly supported.

“This downgrade process leverages the same in-flight migration logic as https upgrades. We've seen issues only with some feature phones; desktop browsers and smartphones all seem to work fine.”

Looking forward, Renfro said that it is also planning to deploy 2048-bit RSA keys, Elliptic Curve Cryptography and related Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange, as well as certificate pinning for specifying the certificate authorities that a site actually uses.

Speaking at last year's RSA Conference Europe, Wikipedia founder Jimmy Wales called for all websites to move to using HTTPS everywhere as "in the longer term, so [they have] secure access all of the time".

He said: “I made sure my Facebook was secure though, we are moving in a direction where we will use encryption by default so let's assume that your connection to a site will be encrypted and the general public know it but do they understand it?

“If you give people the choice between a browser that is more secure, then they will choose the one that is more secure.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.