This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Facebook deploys HTTPS for all users and details further security plans

Share this article:
Facebook follows Google's lead on user privacy settings
Facebook follows Google's lead on user privacy settings

Facebook has deployed Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL), for all users.

According to a blog post by Facebook software engineer Scott Renfro, after it had first announced the plans in early 2011, and confirmed it in November 2012, all users have been switched over after a third enabled the feature following its introduction.

In the future, the website will also implement HTTP Strict TransportSecurity (HSTS) to instruct a user's browser to interact with a site using only https connections.

While he admitted that it faced some challenges in implementing HTTPS, particularly with so much of Facebook relying on third party applications, Renfro said that virtually all traffic to Facebook and 80 per cent of traffic to the mobile site will use a secure connection. “Our native apps for Android and iOS have long used https as well,” he said.

“Some mobile phones and mobile carrier gateways don't fully support https. While we're working with the vendors of these products, we didn't want to leave https off entirely for affected users. Instead, we only downgrade the session on an ineligible device while continuing to use https on browsers and phones where https is properly supported.

“This downgrade process leverages the same in-flight migration logic as https upgrades. We've seen issues only with some feature phones; desktop browsers and smartphones all seem to work fine.”

Looking forward, Renfro said that it is also planning to deploy 2048-bit RSA keys, Elliptic Curve Cryptography and related Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange, as well as certificate pinning for specifying the certificate authorities that a site actually uses.

Speaking at last year's RSA Conference Europe, Wikipedia founder Jimmy Wales called for all websites to move to using HTTPS everywhere as "in the longer term, so [they have] secure access all of the time".

He said: “I made sure my Facebook was secure though, we are moving in a direction where we will use encryption by default so let's assume that your connection to a site will be encrypted and the general public know it but do they understand it?

“If you give people the choice between a browser that is more secure, then they will choose the one that is more secure.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Apple criticised despite fixing iOS 7 and OS X flaws

Apple criticised despite fixing iOS 7 and OS ...

Apple has been criticised despite correcting various security flaws on iOS 7 and OS X Lion and Mountain, with one such bug allowing hackers to intercept data via an SSL ...

Dual-pronged social media attack vector discovered

Dual-pronged social media attack vector discovered

Symantec researchers have spotted a dual-pronged social media engineering attack.

Major Twitter spam attack 'traced' to fellow social media site

Major Twitter spam attack 'traced' to fellow social ...

Photo-sharing website We Heart may have been hit by a stream hack, after it was cited as the source for thousands of spam messages being sent out on Twitter.