Facebook Implements Always On SSL
Facebook announced on July 31st that they have implemented https as default for all of their users. This means that almost all traffic to www.facebook.com and 80% of traffic to m.facebook.com will be using a secure connection. This is both a significant accomplishment for Facebook, who first made the option of using https available two years ago, but it is also great news for their users. When users log into Facebook and see https in the URL, the information they share is encrypted by a Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate. One of the most significant challenges Facebook faced in the implementation of default https was the impact on performance. Moving from http to https is much more complex than it might appear, and it is not simply re-rerouting from http to the https. SSL encryption requires extra round trips to complete the handshake that secures the session and depending on the user’s location and connection speed, there can be noticeable delays. However, Facebook has utilized abbreviated handshakes and have also upgraded their infrastructure to avoid this inconvenience.
Facebook is also working on additional upgrades that will be available this fall. They have already migrated from 1024-bit to 2048-bit RSA keys in compliance with the industry move at the end of the year. Facebook is also testing to Elliptic Curve Cryptography (ECC) as a more efficient but just as secure alternative to the industry-standard RSA. A 256-bit ECC certificate’s improved server performance and the increased number of simultaneous users provides real opportunities to improve on the performance challenges of the larger RSA certificates mandated by the end of this year. There are many other upgrades that Facebook is looking to in order to better secure their users. Click here to learn more.
“This security roadmap represents a solid gesture from Facebook on their continuing commitment to the privacy and security of their users,” says Craig Spiezle, executive director and president of the Online Trust Alliance (OTA). “Their commitment to always on SSL is commensurate with the values of our entire organization, for the betterment of the security ecosystem.”