Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Facebook Adopts Secure Web Pages By Default

Facebook has finally started using HTTPS by default, following a 2010 FTC demand and in the distant footsteps of Google, Twitter, and Hotmail.

Facebook has begun making HTTPS, which provides SSL/TLS encryption, the default protocol for accessing all pages on its site.

"As announced last year, we are moving to HTTPS for all users," said Facebook platform engineer Shireesh Asthana in a Facebook developer forum blog post. "This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world."

Using HTTPS helps secure all communications between browsers and Facebook's servers. It is typically signified from inside a browser by the presence of a lock icon or a green SSL address bar when viewing a Facebook page. While HTTPS will become the new default, Facebook will still offer "an opt-out for the crazies," said Ivan Ristic, director of engineering at Qualys, via Twitter.

[ The FTC reprimanded Facebook last summer for privacy failures. Read more at FTC Confirms Facebook Privacy Settlement, Sans Fines. ]

Until January 2011, Facebook used HTTPS only for pages that required a password. That month, however, Facebook began offering HTTPS as an option, which was selectable as "secure browsing" in the "advanced security features" page located in the "account security" setting of the "account settings" page. A Facebook spokesman didn't immediately respond to an emailed question about the percentage of users that had previously selected HTTPS as their default.

From a security standpoint, using HTTPS is clearly a good move. "HTTPS allows its many millions of users the ability to automatically encrypt their communications with the social network -- preventing hackers and attackers from sniffing your sensitive data while using encrypted Wi-Fi hotspots," said Graham Cluley, senior technology consultant at Sophos, in an emailed statement. "If you can't wait for Facebook to turn on HTTPS/SSL in your neck of the woods, you should set it up for yourself."

What are the downsides to using HTTPS? Performance is the primary concern, although Facebook has reportedly been ironing out any HTTPS-related infrastructure kinks over the last couple of years. "It is far from a simple task to build out this capability for the more than a billion people that use the site and retain the stability and speed we expect, but we are making progress daily towards this end," Facebook's security policy manager Frederic Wolens told Techcrunch.

Interestingly, Facebook said users may notice a slight performance hit after the move to HTTPS. "This may slow down connections only slightly, but we have deployed significant performance enhancements to our load balancing infrastructure to mitigate most of the impact of moving to HTTPS, and will be continuing this work as we deploy this feature," Wolens said.

Facebook's shift to HTTPS by default for all pages follows similar moves by Google, which first began requiring HTTPS for all Gmail users in January 2010. In July 2010, Google reported seeing virtually no related performance hit. Twitter and Hotmail are two other big-name sites that have also enabled HTTPS by default.

The move to adopt HTTPS by default was driven in large part by the 2010 release of the free Firefox extension Firesheep, which illustrated the ease with which packets could be sniffed and credentials stolen -- for example, to sites such as Facebook -- whenever people used insecure Wi-Fi connections.

In 2010, outgoing FTC Commissioner Pamela Jones Harbour had called on leading Web providers to make HTTPS the default for all pages.

The Electronic Frontier Foundation has been actively encouraging users and sites to adopt HTTPS through its HTTPS Everywhere campaign. Already the program, which is a collaboration with The Tor Project, has resulted in the development of extensions for both the Chrome and Firefox browsers which will use HTTPS to submit all page requests for any website that supports HTTPS.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
11/20/2012 | 4:30:18 PM
re: Facebook Adopts Secure Web Pages By Default
SSL encrypts the data "in transit"... not the data at rest. So I disagree with you about the browser not caching pages as being the problem. The main performance hit when using SSL comes from page encryption/decryption activity between the server and client.

If you look at what the browser caches from previous page visits (whether using SSL or not), you will find that it still downloads and caches files from the page(s) (mainly cookies, form data, JS, CSS, and graphics images). The other "changed" content is downloaded and the page is then rendered on the fly. Yes, it is slightly faster to display a page that has certain elements of it cached on the client rather than having to download ALL content again. This depends on the amount of a website's content being JPEG, GIF, PNG, Flash, etc. However, older systems have more of a problem with this than newer and a lot depends on Internet bandwidth as well.

You can blame website designers for the mixed secure/nonsecure content problem. If they are providing SSL services on "their" pages by default, then they should require third party content providers (that they link to) to enable SSL as well if they truly want a secure environment end to end. It is not just an IE browser issue with the warnings you receive about mixed content (secure vs. nonsecure). All browsers should warn about this. At least the IE browser (by default) is letting you know that mixed content could be a problem. Besides, you can turn that warning off if you want (not recommended because how would you otherwise know that some of your traffic is being redirected to a nonsecure site).
ANON1245867212860
50%
50%
ANON1245867212860,
User Rank: Apprentice
11/20/2012 | 12:31:06 AM
re: Facebook Adopts Secure Web Pages By Default
Don't see how there isn't a performance hit because encrypted pages are not stored by shared caches. Also, by having links on SSL pages to non-SSL URLs, IE9 issues warnings of Gǣinsecure content".
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21257
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. The RPL-Classic and RPL-Lite implementations in the Contiki-NG operating system versions prior to 4.6 do not validate the address pointer in the RPL source routing header This makes it possible for an attac...
CVE-2021-21279
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. In verions prior to 4.6, an attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This type of attack can effectively ...
CVE-2021-21280
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. Unfortunately, the written header is not checked t...
CVE-2021-21281
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. A buffer overflow vulnerability exists in Contiki-NG versions prior to 4.6. After establishing a TCP socket using the tcp-socket library, it is possible for the remote end to send a packet with a data offse...
CVE-2021-21410
PUBLISHED: 2021-06-18
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prior. The IPv6 header decompression function (<code>uncompress_hdr_iphc</code>) does not pe...