Last week, Facebook Inc (NASDAQ:FB) began encrypting the connections of North American users to HTTPS by default. The social media giant will soon roll out always-on HTTPS to its entire user base worldwide. HTTPS keeps your data secure as they travel between your browser and servers.
Security experts have been asking Facebook Inc (NASDAQ:FB) for several years to enable always-on HTTPS (Hypertext Transfer Protocol Secure) by default. It prevents account hijacking attempts over insecure networks and prevents the governments of some nations from spying on the social networking activities of their residents.
Facebook Inc (NASDAQ:FB) announced the move on its Developers Blog. "As announced last year, we are moving to HTTPS for all users. This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world," said Facebook platform engineer, Shireesh Asthana.
The Electronic Frontier Foundation (EFF), a strong proponent of always-on HTTPS shift, welcomed the move on Monday. Twitter, Google Search, and all the other services by Google Inc (NASDAQ:GOOG) are already HTTPS encrypted by default. Facebook initially launched HTTPS as an opt-in feature way back in January 2011. However, it was enabled only when you sent your password to the social networking site. And another problem was that whenever a user opened a third-party app that didn't support HTTPS, their whole Facebook connection would be switched back to HTTP.
To address this issue, Facebook Inc (NASDAQ:FB) asked all the app developers in May 2011 to make their apps HTTPS-compatible and acquire SSL certificates before October 1, 2011. It's still unclear why it took the company one more year from that deadline to bring the always-on HTTPS by default.
Ivan Ristic, a director at online security firm Qualys, thinks it was a big challenge for the social networking giant to implement HTTPS because it has millions of third party websites and apps integrated with its platform. Ivan said you can easily implement HTTPS within your own infrastructure, but it becomes extremely difficult when you have to deal with third-party providers.
Now Facebook Inc (NASDAQ:FB) will have to implement HSTS (HTTP Strict Transport Security) which allows HTTPS-enabled sites to instruct the user's web browser that any action to connect with them on HTTP should not be permitted. It prevents SSL stripping, which allows a hacker positioned between a user and a website to downgrade the connection from HTTPS to HTTP.