All Facebook users get secure browsing by default
Posted on 01 August 2013.
After having introduced secure browsing as an option in 2011, and having begun rolling out always-on HTTPS by default for users in North America late last year, Facebook is finally making it the default option for all users.

The feature makes sure that the information sent by the users / browsers to the company servers is always sent via the Transport Layer Security (TLS) cryptographic protocol, making it more secure if intercepted.

According to Facebook software engineer Scott Renfro, when the feature was first introduces two years ago, more that a third of users had enabled it immediately despite the fact that it could slow down their Facebook use.

"We've focused on making it faster throughout the world and improving its compatibility with platform applications," says Renfro, and adds that practically all traffic directed to the Facebook main page, as well as some 80 percent of that directed to its mobile equivalent, now uses a secure connection.

He also took the time to explain a bit about the difficulties they encountered while making all of this possible. "Switching to https is more complicated than it might seem. It's not simply a matter of redirecting from http://www.facebook.com to https://www.facebook.com," he says.

Among the problems that had to be solved were a few regarding authentication and indicator cookies, referrer headers, and migration. Also, third-party platform application developers had to upgrade their apps to support https.

They also had to resolve performance problems.

"For example, if you're in Vancouver, where a round trip to Facebook's Prineville, Oregon, data center takes 20ms, then the full handshake only adds about 40ms, which probably isn't noticeable. However, if you're in Jakarta, where a round trip takes 300ms, a full handshake can add 600ms. When combined with an already slow connection, this additional latency on every request could be very noticeable and frustrating," he explains. "Thankfully, we've been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes."

Finally, he announced a couple of changes they are still working on, among which is the implementation of a type of cryptographic key exchange that will ensure Perfect Forward Secrecy, and the upgrading of their cryptographic RSA keys from 1048-bit to 2048-bit ones by the end of the year.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //