Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Facebook Adopts Secure Web Pages By Default

Facebook has finally started using HTTPS by default, following a 2010 FTC demand and in the distant footsteps of Google, Twitter, and Hotmail.

Facebook has begun making HTTPS, which provides SSL/TLS encryption, the default protocol for accessing all pages on its site.

"As announced last year, we are moving to HTTPS for all users," said Facebook platform engineer Shireesh Asthana in a Facebook developer forum blog post. "This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world."

Using HTTPS helps secure all communications between browsers and Facebook's servers. It is typically signified from inside a browser by the presence of a lock icon or a green SSL address bar when viewing a Facebook page. While HTTPS will become the new default, Facebook will still offer "an opt-out for the crazies," said Ivan Ristic, director of engineering at Qualys, via Twitter.

[ The FTC reprimanded Facebook last summer for privacy failures. Read more at FTC Confirms Facebook Privacy Settlement, Sans Fines. ]

Until January 2011, Facebook used HTTPS only for pages that required a password. That month, however, Facebook began offering HTTPS as an option, which was selectable as "secure browsing" in the "advanced security features" page located in the "account security" setting of the "account settings" page. A Facebook spokesman didn't immediately respond to an emailed question about the percentage of users that had previously selected HTTPS as their default.

From a security standpoint, using HTTPS is clearly a good move. "HTTPS allows its many millions of users the ability to automatically encrypt their communications with the social network -- preventing hackers and attackers from sniffing your sensitive data while using encrypted Wi-Fi hotspots," said Graham Cluley, senior technology consultant at Sophos, in an emailed statement. "If you can't wait for Facebook to turn on HTTPS/SSL in your neck of the woods, you should set it up for yourself."

What are the downsides to using HTTPS? Performance is the primary concern, although Facebook has reportedly been ironing out any HTTPS-related infrastructure kinks over the last couple of years. "It is far from a simple task to build out this capability for the more than a billion people that use the site and retain the stability and speed we expect, but we are making progress daily towards this end," Facebook's security policy manager Frederic Wolens told Techcrunch.

Interestingly, Facebook said users may notice a slight performance hit after the move to HTTPS. "This may slow down connections only slightly, but we have deployed significant performance enhancements to our load balancing infrastructure to mitigate most of the impact of moving to HTTPS, and will be continuing this work as we deploy this feature," Wolens said.

Facebook's shift to HTTPS by default for all pages follows similar moves by Google, which first began requiring HTTPS for all Gmail users in January 2010. In July 2010, Google reported seeing virtually no related performance hit. Twitter and Hotmail are two other big-name sites that have also enabled HTTPS by default.

The move to adopt HTTPS by default was driven in large part by the 2010 release of the free Firefox extension Firesheep, which illustrated the ease with which packets could be sniffed and credentials stolen -- for example, to sites such as Facebook -- whenever people used insecure Wi-Fi connections.

In 2010, outgoing FTC Commissioner Pamela Jones Harbour had called on leading Web providers to make HTTPS the default for all pages.

The Electronic Frontier Foundation has been actively encouraging users and sites to adopt HTTPS through its HTTPS Everywhere campaign. Already the program, which is a collaboration with The Tor Project, has resulted in the development of extensions for both the Chrome and Firefox browsers which will use HTTPS to submit all page requests for any website that supports HTTPS.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ANON1245867212860
50%
50%
ANON1245867212860,
User Rank: Apprentice
11/20/2012 | 12:31:06 AM
re: Facebook Adopts Secure Web Pages By Default
Don't see how there isn't a performance hit because encrypted pages are not stored by shared caches. Also, by having links on SSL pages to non-SSL URLs, IE9 issues warnings of Gǣinsecure content".
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
11/20/2012 | 4:30:18 PM
re: Facebook Adopts Secure Web Pages By Default
SSL encrypts the data "in transit"... not the data at rest. So I disagree with you about the browser not caching pages as being the problem. The main performance hit when using SSL comes from page encryption/decryption activity between the server and client.

If you look at what the browser caches from previous page visits (whether using SSL or not), you will find that it still downloads and caches files from the page(s) (mainly cookies, form data, JS, CSS, and graphics images). The other "changed" content is downloaded and the page is then rendered on the fly. Yes, it is slightly faster to display a page that has certain elements of it cached on the client rather than having to download ALL content again. This depends on the amount of a website's content being JPEG, GIF, PNG, Flash, etc. However, older systems have more of a problem with this than newer and a lot depends on Internet bandwidth as well.

You can blame website designers for the mixed secure/nonsecure content problem. If they are providing SSL services on "their" pages by default, then they should require third party content providers (that they link to) to enable SSL as well if they truly want a secure environment end to end. It is not just an IE browser issue with the warnings you receive about mixed content (secure vs. nonsecure). All browsers should warn about this. At least the IE browser (by default) is letting you know that mixed content could be a problem. Besides, you can turn that warning off if you want (not recommended because how would you otherwise know that some of your traffic is being redirected to a nonsecure site).
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20288
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...
CVE-2021-31229
PUBLISHED: 2021-04-15
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one byte constant.
CVE-2021-28548
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
CVE-2021-28549
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
CVE-2021-30209
PUBLISHED: 2021-04-15
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.