Risk
11/19/2012
11:11 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Adopts Secure Web Pages By Default

Facebook has finally started using HTTPS by default, following a 2010 FTC demand and in the distant footsteps of Google, Twitter, and Hotmail.

Facebook has begun making HTTPS, which provides SSL/TLS encryption, the default protocol for accessing all pages on its site.

"As announced last year, we are moving to HTTPS for all users," said Facebook platform engineer Shireesh Asthana in a Facebook developer forum blog post. "This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world."

Using HTTPS helps secure all communications between browsers and Facebook's servers. It is typically signified from inside a browser by the presence of a lock icon or a green SSL address bar when viewing a Facebook page. While HTTPS will become the new default, Facebook will still offer "an opt-out for the crazies," said Ivan Ristic, director of engineering at Qualys, via Twitter.

[ The FTC reprimanded Facebook last summer for privacy failures. Read more at FTC Confirms Facebook Privacy Settlement, Sans Fines. ]

Until January 2011, Facebook used HTTPS only for pages that required a password. That month, however, Facebook began offering HTTPS as an option, which was selectable as "secure browsing" in the "advanced security features" page located in the "account security" setting of the "account settings" page. A Facebook spokesman didn't immediately respond to an emailed question about the percentage of users that had previously selected HTTPS as their default.

From a security standpoint, using HTTPS is clearly a good move. "HTTPS allows its many millions of users the ability to automatically encrypt their communications with the social network -- preventing hackers and attackers from sniffing your sensitive data while using encrypted Wi-Fi hotspots," said Graham Cluley, senior technology consultant at Sophos, in an emailed statement. "If you can't wait for Facebook to turn on HTTPS/SSL in your neck of the woods, you should set it up for yourself."

What are the downsides to using HTTPS? Performance is the primary concern, although Facebook has reportedly been ironing out any HTTPS-related infrastructure kinks over the last couple of years. "It is far from a simple task to build out this capability for the more than a billion people that use the site and retain the stability and speed we expect, but we are making progress daily towards this end," Facebook's security policy manager Frederic Wolens told Techcrunch.

Interestingly, Facebook said users may notice a slight performance hit after the move to HTTPS. "This may slow down connections only slightly, but we have deployed significant performance enhancements to our load balancing infrastructure to mitigate most of the impact of moving to HTTPS, and will be continuing this work as we deploy this feature," Wolens said.

Facebook's shift to HTTPS by default for all pages follows similar moves by Google, which first began requiring HTTPS for all Gmail users in January 2010. In July 2010, Google reported seeing virtually no related performance hit. Twitter and Hotmail are two other big-name sites that have also enabled HTTPS by default.

The move to adopt HTTPS by default was driven in large part by the 2010 release of the free Firefox extension Firesheep, which illustrated the ease with which packets could be sniffed and credentials stolen -- for example, to sites such as Facebook -- whenever people used insecure Wi-Fi connections.

In 2010, outgoing FTC Commissioner Pamela Jones Harbour had called on leading Web providers to make HTTPS the default for all pages.

The Electronic Frontier Foundation has been actively encouraging users and sites to adopt HTTPS through its HTTPS Everywhere campaign. Already the program, which is a collaboration with The Tor Project, has resulted in the development of extensions for both the Chrome and Firefox browsers which will use HTTPS to submit all page requests for any website that supports HTTPS.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ANON1245867212860
50%
50%
ANON1245867212860,
User Rank: Apprentice
11/20/2012 | 12:31:06 AM
re: Facebook Adopts Secure Web Pages By Default
Don't see how there isn't a performance hit because encrypted pages are not stored by shared caches. Also, by having links on SSL pages to non-SSL URLs, IE9 issues warnings of GÇ£insecure content".
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
11/20/2012 | 4:30:18 PM
re: Facebook Adopts Secure Web Pages By Default
SSL encrypts the data "in transit"... not the data at rest. So I disagree with you about the browser not caching pages as being the problem. The main performance hit when using SSL comes from page encryption/decryption activity between the server and client.

If you look at what the browser caches from previous page visits (whether using SSL or not), you will find that it still downloads and caches files from the page(s) (mainly cookies, form data, JS, CSS, and graphics images). The other "changed" content is downloaded and the page is then rendered on the fly. Yes, it is slightly faster to display a page that has certain elements of it cached on the client rather than having to download ALL content again. This depends on the amount of a website's content being JPEG, GIF, PNG, Flash, etc. However, older systems have more of a problem with this than newer and a lot depends on Internet bandwidth as well.

You can blame website designers for the mixed secure/nonsecure content problem. If they are providing SSL services on "their" pages by default, then they should require third party content providers (that they link to) to enable SSL as well if they truly want a secure environment end to end. It is not just an IE browser issue with the warnings you receive about mixed content (secure vs. nonsecure). All browsers should warn about this. At least the IE browser (by default) is letting you know that mixed content could be a problem. Besides, you can turn that warning off if you want (not recommended because how would you otherwise know that some of your traffic is being redirected to a nonsecure site).
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.