Facebook has adopted the policy taken by Google and other websites after it enabled HTTPS as a default for user connections in North America.
The move is meant to provide secure browsing for part of the social network’s user base, which as of September is counted by the company to be more than a billion. The rollout began last week, and Facebook stated there are plans to make HTTPS default for the rest of the world as well. No specific date was given as to when that would be.
Starting last year, Facebook gave users the opportunity to turn on HTTPS so that it was used to protect their entire sessions as opposed to only being used whenever they entered their passwords. The option could be enabled through the Account Security section of the Account Settings page. At the time, Facebook advised users that while HTTPS improves security, encrypted pages take longer to load, and could slow down their experience using the site.
Google opted to turn HTTPS on by default for Gmail in 2010 after calls from security and privacy experts and the emergence of reports of attempts to access the Gmail accounts of Chinese human rights activists. In 2011, Google began redirecting users signed into their Google accounts to the HTTPS version of Google.com to encrypt the searches users perform and the results they receive. Earlier this year, Twitter enabled HTTPS by default for all its users as well, roughly a year after introducing it as an option. Users can turn the option of on their account settings page.
However, there has been research into attacks that can circumvent HTTPS, so it should not be considered fool-proof. For example, last year at the ekoparty Security Conference in Buenos Aires, two researchers demonstrated a tool known as BEAST that can be used to defeat SSL/TLS and enable attackers to steal cookies. Still, turning HTTPS on by default is a good step, blogged Graham Cluley, senior technology consultant at Sophos.
“Way back in January 2011, Facebook announced it was implementing HTTPS to allow its many millions of users the ability to automatically encrypt their communications with the social network – preventing hackers and attackers from sniffing your sensitive data while using unencrypted wifi hotspots,” Cluley blogged.
In April of last year, Sophos wrote an open letter to Facebook to requesting the site enable HTTPS by default as part of a list of security recommendations.
“We want to say this really clearly and loudly … Well done Facebook! Sure, we might have liked it if Facebook had enabled HTTPS by default more quickly, but it would be churlish to grumble now they’re doing it,” he added.
What do you know about Facebook? Take our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…