This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Facebook deploys HTTPS for all users and details further security plans

Share this article:
Facebook follows Google's lead on user privacy settings
Facebook follows Google's lead on user privacy settings

Facebook has deployed Transport Layer Security (TLS), formerly Secure Sockets Layer (SSL), for all users.

According to a blog post by Facebook software engineer Scott Renfro, after it had first announced the plans in early 2011, and confirmed it in November 2012, all users have been switched over after a third enabled the feature following its introduction.

In the future, the website will also implement HTTP Strict TransportSecurity (HSTS) to instruct a user's browser to interact with a site using only https connections.

While he admitted that it faced some challenges in implementing HTTPS, particularly with so much of Facebook relying on third party applications, Renfro said that virtually all traffic to Facebook and 80 per cent of traffic to the mobile site will use a secure connection. “Our native apps for Android and iOS have long used https as well,” he said.

“Some mobile phones and mobile carrier gateways don't fully support https. While we're working with the vendors of these products, we didn't want to leave https off entirely for affected users. Instead, we only downgrade the session on an ineligible device while continuing to use https on browsers and phones where https is properly supported.

“This downgrade process leverages the same in-flight migration logic as https upgrades. We've seen issues only with some feature phones; desktop browsers and smartphones all seem to work fine.”

Looking forward, Renfro said that it is also planning to deploy 2048-bit RSA keys, Elliptic Curve Cryptography and related Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange, as well as certificate pinning for specifying the certificate authorities that a site actually uses.

Speaking at last year's RSA Conference Europe, Wikipedia founder Jimmy Wales called for all websites to move to using HTTPS everywhere as "in the longer term, so [they have] secure access all of the time".

He said: “I made sure my Facebook was secure though, we are moving in a direction where we will use encryption by default so let's assume that your connection to a site will be encrypted and the general public know it but do they understand it?

“If you give people the choice between a browser that is more secure, then they will choose the one that is more secure.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...