Facebook is taking a page from Google and other sites by making HTTPS default for user connections in North America, following through on plans announced last year.
The move is meant to provide secure browsing for part of the social network’s user base, which as of September is counted by the company to be more than a billion. The rollout began last week, and Facebook stated there are plans to make HTTPS default for the rest of the world as well. No specific date was given as to when that would be.
Starting last year, Facebook gave users the opportunity to turn on HTTPS so that it was used to protect their entire sessions as opposed to only being used whenever they entered their passwords. The option could be enabled through the Account Security section of the Account Settings page. At the time, Facebook advised users that while HTTPS improves security, encrypted pages take longer to load, and could slow down their experience using the site.
HTTPS layers HTTP on top of the SSL/TLS protocol and provides authentication of the Website and Web server a user is communicating with and keeps the session cookie encrypted to provide protection against man-in-the-middle attacks.
Google opted to turn HTTPS on by default for Gmail in 2010 after calls from security and privacy experts and the emergence of reports of attempts to access the Gmail accounts of Chinese human rights activists. In 2011, Google began redirecting users signed into their Google accounts to the HTTPS version of Google.com to encrypt the searches users perform and the results they receive. Earlier this year, Twitter enabled HTTPS by default for all its users as well, roughly a year after introducing it as an option. Users can turn the option of on their account settings page.
However, there has been research into attacks that can circumvent HTTPS, so it should not be considered fool-proof. For example, last year at the ekoparty Security Conference in Buenos Aires, two researchers demonstrated a tool known as BEAST that can be used to defeat SSL/TLS and enable attackers to steal cookies. Still, turning HTTPS on by default is a good step, blogged Graham Cluley, senior technology consultant at Sophos.
“Way back in January 2011, Facebook announced it was implementing HTTPS to allow its many millions of users the ability to automatically encrypt their communications with the social network—preventing hackers and attackers from sniffing your sensitive data while using unencrypted wifi hotspots,” Cluley blogged.
In April of last year, Sophos wrote an open letter to Facebook to requesting the site enable HTTPS by default as part of a list of security recommendations.
“We want to say this really clearly and loudly … Well done Facebook! Sure, we might have liked it if Facebook had enabled HTTPS by default more quickly, but it would be churlish to grumble now they’re doing it,” he added.