Facebook Adopts Secure Web Pages By Default

Facebook has begun making HTTPS, which provides SSL/TLS encryption, the default protocol for accessing all pages on its site.

"As announced last year, we are moving to HTTPS for all users," said Facebook platform engineer Shireesh Asthana in a Facebook developer forum blog post. "This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world."

Using HTTPS helps secure all communications between browsers and Facebook's servers. It is typically signified from inside a browser by the presence of a lock icon or a green SSL address bar when viewing a Facebook page. While HTTPS will become the new default, Facebook will still offer "an opt-out for the crazies," said Ivan Ristic, director of engineering at Qualys, via Twitter.

[ The FTC reprimanded Facebook last summer for privacy failures. Read more at FTC Confirms Facebook Privacy Settlement, Sans Fines. ]

Until January 2011, Facebook used HTTPS only for pages that required a password. That month, however, Facebook began offering HTTPS as an option, which was selectable as "secure browsing" in the "advanced security features" page located in the "account security" setting of the "account settings" page. A Facebook spokesman didn't immediately respond to an emailed question about the percentage of users that had previously selected HTTPS as their default.

From a security standpoint, using HTTPS is clearly a good move. "HTTPS allows its many millions of users the ability to automatically encrypt their communications with the social network -- preventing hackers and attackers from sniffing your sensitive data while using encrypted Wi-Fi hotspots," said Graham Cluley, senior technology consultant at Sophos, in an emailed statement. "If you can't wait for Facebook to turn on HTTPS/SSL in your neck of the woods, you should set it up for yourself."

What are the downsides to using HTTPS? Performance is the primary concern, although Facebook has reportedly been ironing out any HTTPS-related infrastructure kinks over the last couple of years. "It is far from a simple task to build out this capability for the more than a billion people that use the site and retain the stability and speed we expect, but we are making progress daily towards this end," Facebook's security policy manager Frederic Wolens told Techcrunch.

Interestingly, Facebook said users may notice a slight performance hit after the move to HTTPS. "This may slow down connections only slightly, but we have deployed significant performance enhancements to our load balancing infrastructure to mitigate most of the impact of moving to HTTPS, and will be continuing this work as we deploy this feature," Wolens said.

Facebook's shift to HTTPS by default for all pages follows similar moves by Google, which first began requiring HTTPS for all Gmail users in January 2010. In July 2010, Google reported seeing virtually no related performance hit. Twitter and Hotmail are two other big-name sites that have also enabled HTTPS by default.

The move to adopt HTTPS by default was driven in large part by the 2010 release of the free Firefox extension Firesheep, which illustrated the ease with which packets could be sniffed and credentials stolen -- for example, to sites such as Facebook -- whenever people used insecure Wi-Fi connections.

In 2010, outgoing FTC Commissioner Pamela Jones Harbour had called on leading Web providers to make HTTPS the default for all pages.

The Electronic Frontier Foundation has been actively encouraging users and sites to adopt HTTPS through its HTTPS Everywhere campaign. Already the program, which is a collaboration with The Tor Project, has resulted in the development of extensions for both the Chrome and Firefox browsers which will use HTTPS to submit all page requests for any website that supports HTTPS.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)