After having introduced secure browsing as an option in 2011, and having begun rolling out always-on HTTPS by default for users in North America late last year, Facebook is finally making it the default option for all users.
The feature makes sure that the information sent by the users / browsers to the company servers is always sent via the Transport Layer Security (TLS) cryptographic protocol, making it more secure if intercepted.
According to Facebook software engineer Scott Renfro, when the feature was first introduces two years ago, more that a third of users had enabled it immediately despite the fact that it could slow down their Facebook use.
“We’ve focused on making it faster throughout the world and improving its compatibility with platform applications,” says Renfro, and adds that practically all traffic directed to the Facebook main page, as well as some 80 percent of that directed to its mobile equivalent, now uses a secure connection.
He also took the time to explain a bit about the difficulties they encountered while making all of this possible. “Switching to https is more complicated than it might seem. It’s not simply a matter of redirecting from http://www.facebook.com to https://www.facebook.com,” he says.
Among the problems that had to be solved were a few regarding authentication and indicator cookies, referrer headers, and migration. Also, third-party platform application developers had to upgrade their apps to support https.
They also had to resolve performance problems.
“For example, if you’re in Vancouver, where a round trip to Facebook’s Prineville, Oregon, data center takes 20ms, then the full handshake only adds about 40ms, which probably isn’t noticeable. However, if you’re in Jakarta, where a round trip takes 300ms, a full handshake can add 600ms. When combined with an already slow connection, this additional latency on every request could be very noticeable and frustrating,” he explains. “Thankfully, we’ve been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes.”
Finally, he announced a couple of changes they are still working on, among which is the implementation of a type of cryptographic key exchange that will ensure Perfect Forward Secrecy, and the upgrading of their cryptographic RSA keys from 1048-bit to 2048-bit ones by the end of the year.