Facebook announced on March 5, that it is turning on a new capability that will automatically direct users to an HTTPS secured version of a link target, if one is available.
The feature known as HTTP Strict Transport Security (HSTS) preloading is being rolled out across facebook.com and Instagram. With HSTS preloading, a site link that a user posted as an un-encrypted HTTP link will automatically be re-directed to an encrypted HTTPS link for a given site.
“We continue to encourage people to check the URL in the address bar to see if the link is supported by HTTPS,” Jon Millican, Software Engineer at Facebook, told eWEEK. “But we understand that many people still use browsers that don’t support HSTS, and so we’re working to ensure that their first connection to supported websites is secure.”
HSTS is a technology protocol that can be deployed by site owners to force all browsers to view a site over HTTPS, which provides an SSL/TLS encrypted version of a given site. The challenge is that not all sites that support HTTPS deploy HSTS and not all browsers support HSTS headers either. As such, a user could still potentially end up on a non-encrypted HTTP version of a site, even if an HTTPS version exists.
With HSTS preloading, Facebook is using a list of known sites that conform to proper HTTPS best practices for deployment, to redirect users to HTTPS links.
“Our implementation uses the Chromium preload list, which is used by major browsers,” Millican said. “We also use a list based on HSTS headers from sites that we crawl, and we update both lists regularly.”
The number of HTTPS encrypted sites has steadily increased in recent years. Cisco revealed in in its 2017 Annual Cyber-security Report that 50 percent of all data traffic is now using HTTPS. Mozilla’s Firefox Telemetry project statistics show that an average of approximately 70 percent of web pages loaded by Firefox in February of 2017 were using HTTPS.
As to why Facebook, didn’t just simply re-write all links posted on Facebook and Instagram to HTTPS, it all has to do with compatibility.
“Making this change and upgrading our link security infrastructure, helps strengthen people’s security without breaking links to sites that don’t yet support HTTPS,” Millican said.
From user perspective, Millican added that the move to HSTS preloading does not cause any user-visible latency or performance impact. Facebook’s upgrading of links to HTTPS also doesn’t involve Facebook checking to see if a site’s SSL/TLS certificate is valid, which is a capability that is built into modern web browsers.
“Upgrading our link security infrastructure is not meant to replace the security features of the browser,” Millican said. “It is aimed to help people connect directly to the most secure version of the website.”
HSTS Preloading Adoption
Security researcher Scott Helme is optimistic that Facebook’s use of HSTS preloading will help to lead to further adoption of the technology approach in the broader technology community.
“I am genuinely hopeful that a huge organization like Facebook showing their use of the preload list in this manner will inspire other organizations to think about how they may be able to use it in other ways too,” Helme told eWEEK.
Helme noted that Facebook isn’t the only organization that has deployed HSTS preloading, Cloudflare also has deployed the technology. Cloudflare announced back in September 2016 that it is using the HSTS preload list to automatically upgrade HTTP to HTTPS where possible.
“The HSTS preload list is open so anyone can grab a copy of the list and start using it in great ways to improve security across the web,” Helme said. “If you host or link to content like Facebook does, handle traffic or any one of countless other scenarios, you could quickly start experimenting with the HSTS preload list to see how you can use it to help build a more secure web for everyone.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.