Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Facebook Adopts Secure Web Pages By Default

Facebook has finally started using HTTPS by default, following a 2010 FTC demand and in the distant footsteps of Google, Twitter, and Hotmail.

Facebook has begun making HTTPS, which provides SSL/TLS encryption, the default protocol for accessing all pages on its site.

"As announced last year, we are moving to HTTPS for all users," said Facebook platform engineer Shireesh Asthana in a Facebook developer forum blog post. "This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world."

Using HTTPS helps secure all communications between browsers and Facebook's servers. It is typically signified from inside a browser by the presence of a lock icon or a green SSL address bar when viewing a Facebook page. While HTTPS will become the new default, Facebook will still offer "an opt-out for the crazies," said Ivan Ristic, director of engineering at Qualys, via Twitter.

[ The FTC reprimanded Facebook last summer for privacy failures. Read more at FTC Confirms Facebook Privacy Settlement, Sans Fines. ]

Until January 2011, Facebook used HTTPS only for pages that required a password. That month, however, Facebook began offering HTTPS as an option, which was selectable as "secure browsing" in the "advanced security features" page located in the "account security" setting of the "account settings" page. A Facebook spokesman didn't immediately respond to an emailed question about the percentage of users that had previously selected HTTPS as their default.

From a security standpoint, using HTTPS is clearly a good move. "HTTPS allows its many millions of users the ability to automatically encrypt their communications with the social network -- preventing hackers and attackers from sniffing your sensitive data while using encrypted Wi-Fi hotspots," said Graham Cluley, senior technology consultant at Sophos, in an emailed statement. "If you can't wait for Facebook to turn on HTTPS/SSL in your neck of the woods, you should set it up for yourself."

What are the downsides to using HTTPS? Performance is the primary concern, although Facebook has reportedly been ironing out any HTTPS-related infrastructure kinks over the last couple of years. "It is far from a simple task to build out this capability for the more than a billion people that use the site and retain the stability and speed we expect, but we are making progress daily towards this end," Facebook's security policy manager Frederic Wolens told Techcrunch.

Interestingly, Facebook said users may notice a slight performance hit after the move to HTTPS. "This may slow down connections only slightly, but we have deployed significant performance enhancements to our load balancing infrastructure to mitigate most of the impact of moving to HTTPS, and will be continuing this work as we deploy this feature," Wolens said.

Facebook's shift to HTTPS by default for all pages follows similar moves by Google, which first began requiring HTTPS for all Gmail users in January 2010. In July 2010, Google reported seeing virtually no related performance hit. Twitter and Hotmail are two other big-name sites that have also enabled HTTPS by default.

The move to adopt HTTPS by default was driven in large part by the 2010 release of the free Firefox extension Firesheep, which illustrated the ease with which packets could be sniffed and credentials stolen -- for example, to sites such as Facebook -- whenever people used insecure Wi-Fi connections.

In 2010, outgoing FTC Commissioner Pamela Jones Harbour had called on leading Web providers to make HTTPS the default for all pages.

The Electronic Frontier Foundation has been actively encouraging users and sites to adopt HTTPS through its HTTPS Everywhere campaign. Already the program, which is a collaboration with The Tor Project, has resulted in the development of extensions for both the Chrome and Firefox browsers which will use HTTPS to submit all page requests for any website that supports HTTPS.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
11/20/2012 | 4:30:18 PM
re: Facebook Adopts Secure Web Pages By Default
SSL encrypts the data "in transit"... not the data at rest. So I disagree with you about the browser not caching pages as being the problem. The main performance hit when using SSL comes from page encryption/decryption activity between the server and client.

If you look at what the browser caches from previous page visits (whether using SSL or not), you will find that it still downloads and caches files from the page(s) (mainly cookies, form data, JS, CSS, and graphics images). The other "changed" content is downloaded and the page is then rendered on the fly. Yes, it is slightly faster to display a page that has certain elements of it cached on the client rather than having to download ALL content again. This depends on the amount of a website's content being JPEG, GIF, PNG, Flash, etc. However, older systems have more of a problem with this than newer and a lot depends on Internet bandwidth as well.

You can blame website designers for the mixed secure/nonsecure content problem. If they are providing SSL services on "their" pages by default, then they should require third party content providers (that they link to) to enable SSL as well if they truly want a secure environment end to end. It is not just an IE browser issue with the warnings you receive about mixed content (secure vs. nonsecure). All browsers should warn about this. At least the IE browser (by default) is letting you know that mixed content could be a problem. Besides, you can turn that warning off if you want (not recommended because how would you otherwise know that some of your traffic is being redirected to a nonsecure site).
ANON1245867212860
50%
50%
ANON1245867212860,
User Rank: Apprentice
11/20/2012 | 12:31:06 AM
re: Facebook Adopts Secure Web Pages By Default
Don't see how there isn't a performance hit because encrypted pages are not stored by shared caches. Also, by having links on SSL pages to non-SSL URLs, IE9 issues warnings of Gǣinsecure content".
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...