All Facebook users get secure browsing by default
Posted on 01 August 2013.
After having introduced secure browsing as an option in 2011, and having begun rolling out always-on HTTPS by default for users in North America late last year, Facebook is finally making it the default option for all users.

The feature makes sure that the information sent by the users / browsers to the company servers is always sent via the Transport Layer Security (TLS) cryptographic protocol, making it more secure if intercepted.

According to Facebook software engineer Scott Renfro, when the feature was first introduces two years ago, more that a third of users had enabled it immediately despite the fact that it could slow down their Facebook use.

"We've focused on making it faster throughout the world and improving its compatibility with platform applications," says Renfro, and adds that practically all traffic directed to the Facebook main page, as well as some 80 percent of that directed to its mobile equivalent, now uses a secure connection.

He also took the time to explain a bit about the difficulties they encountered while making all of this possible. "Switching to https is more complicated than it might seem. It's not simply a matter of redirecting from http://www.facebook.com to https://www.facebook.com," he says.

Among the problems that had to be solved were a few regarding authentication and indicator cookies, referrer headers, and migration. Also, third-party platform application developers had to upgrade their apps to support https.

They also had to resolve performance problems.

"For example, if you're in Vancouver, where a round trip to Facebook's Prineville, Oregon, data center takes 20ms, then the full handshake only adds about 40ms, which probably isn't noticeable. However, if you're in Jakarta, where a round trip takes 300ms, a full handshake can add 600ms. When combined with an already slow connection, this additional latency on every request could be very noticeable and frustrating," he explains. "Thankfully, we've been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes."

Finally, he announced a couple of changes they are still working on, among which is the implementation of a type of cryptographic key exchange that will ensure Perfect Forward Secrecy, and the upgrading of their cryptographic RSA keys from 1048-bit to 2048-bit ones by the end of the year.









Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //