Facebook turns on secure browsing by default

Facebook has switched to secure HTTPS browsing for all users, some two years after the company added the feature.

The switch follows similar moves in recent years by rivals Google and Twitter.
Facebook revealed that a third of its users opted in to the feature after it was first introduced.
Now, all traffic to Facebook’s website and 80% of all going to the mobile optimised version will use a secure connection. The service uses Transport Layer Security (TLS), or Secure Socket Layer (SSL), to protect the connection.
Two years ago, the social networking site gave users the option of using TLS (Transport Security Layer) encryption, indicated by “https” in the URL bar. TLS is the successor to SSL (Secure Sockets Layer), a system that uses public key cryptography to ensure greater privacy between two parties.
More than a third of users flipped on TLS, but it was not made a default due to a variety of engineering challenges, wrote Scott Renfro, a software engineer with Facebook’s Security Infrastructure team in London.
One problem is latency. Facebook has been using techniques that help speed up the response of its servers for users in places such as Jakarta, who may endure a slower response with a Facebook server in Prineville, Oregon, than someone in Canada.
“Because we embed third-party platform applications inside of iframes, we needed to get all platform applications to upgrade their apps to support https,” Renfro wrote. “This was treated as a 90-day breaking change for platform applications, and we actually gave developers 150 days to get a certificate and upgrade their application to https.”
Facebook will also move to a type of cryptographic key exchange that ensures data can’t be decrypted in the future, a concept known as Perfect Forward Secrecy.
The system uses a short-lived private key for each TLS session, eliminating the risk that data could be decrypted years later if a private key is compromised, Renfro wrote.
Read the blog here