Facebook deploys HTTPS for all users and details further security plans
Facebook follows Google's lead on user privacy settings
Facebook has deployed Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL), for all users.
According to a blog post by Facebook software engineer Scott Renfro, after it had first announced the plans in early 2011, and confirmed it in November 2012, all users have been switched over after a third enabled the feature following its introduction.
In the future, the website will also implement HTTP Strict TransportSecurity (HSTS) to instruct a user's browser to interact with a site using only https connections.
While he admitted that it faced some challenges in implementing HTTPS, particularly with so much of Facebook relying on third party applications, Renfro said that virtually all traffic to Facebook and 80 per cent of traffic to the mobile site will use a secure connection. “Our native apps for Android and iOS have long used https as well,” he said.
“Some mobile phones and mobile carrier gateways don't fully support https. While we're working with the vendors of these products, we didn't want to leave https off entirely for affected users. Instead, we only downgrade the session on an ineligible device while continuing to use https on browsers and phones where https is properly supported.
“This downgrade process leverages the same in-flight migration logic as https upgrades. We've seen issues only with some feature phones; desktop browsers and smartphones all seem to work fine.”
Looking forward, Renfro said that it is also planning to deploy 2048-bit RSA keys, Elliptic Curve Cryptography and related Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange, as well as certificate pinning for specifying the certificate authorities that a site actually uses.
Speaking at last year's RSA Conference Europe, Wikipedia founder Jimmy Wales called for all websites to move to using HTTPS everywhere as "in the longer term, so [they have] secure access all of the time".
He said: “I made sure my Facebook was secure though, we are moving in a direction where we will use encryption by default so let's assume that your connection to a site will be encrypted and the general public know it but do they understand it?
“If you give people the choice between a browser that is more secure, then they will choose the one that is more secure.”