Forgot your password?
typodupeerror
Facebook Security IT

Facebook Switching To HTTPS By Default 92

Posted by Unknown Lamer
from the single-party-spying dept.
Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."
This discussion has been archived. No new comments can be posted.

Facebook Switching To HTTPS By Default

Comments Filter:
  • Need password (Score:5, Insightful)

    by jfdavis668 (1414919) on Monday November 19, 2012 @08:34PM (#42034271)
    Would be helpful if I didn't need a password to read the linked article.
  • I can't believe this would be considered news? Facebook figures out how to do a redirect to a HTTPS page. No wonder their IPO was a flop... It will be amazing if they are here in a year.

    • by Culture20 (968837) on Monday November 19, 2012 @08:55PM (#42034511)
      They've had a cert (and an https only option) for years. They apparently finally have the computing power to make it default ( it's not free to encrypt every little transaction, and their pages auto update).
    • Thank you.
  • power (Score:3, Interesting)

    by Anonymous Coward on Monday November 19, 2012 @08:37PM (#42034303)

    wonder what the implications are from a power consumption perspective?

    • Re: (Score:3, Insightful)

      by Alien Being (18488)

      I don't know but I'm sure the waste ratio hasn't increased from 100%.

  • by timeOday (582209) on Monday November 19, 2012 @08:49PM (#42034431)
    Anybody know if facebook is using any hardware SSL acceleration? Or is throwing more commodity CPUs at it the better choice?
    • by Hadlock (143607) on Monday November 19, 2012 @08:54PM (#42034493) Homepage Journal

      Crystal Forest is supposed to have SSL acceleration built in. Ivy Bridge (2012) has AES acceleration built in on midrange i5s and up, and I think AES was supported by some processors as early as Sandy Bridge (2011). Crystal Forest is a platform rather than microarchitecture, and I'm not sure exactly when it will be released.

    • by SuperQ (431) *

      With modern machines you only spend about 2% of your CPU handling the HTTPS part of the transaction, especially with HTTPS connection re-use handling. Back when they first started enabling HTTPS I calculated that it might take one more rack of machines to handle all the HTTPS needs for facebook in a worst-case situation. One rack is a drop in the bucket for the http front ends these days for service as big as facebook.

  • by pushing-robot (1037830) on Monday November 19, 2012 @08:51PM (#42034453)

    Twitter did it a while back. Facebook finally jumped on the bandwagon. Now if only ChatRoulette would follow suit, I could finally bare every detail of my life to strangers without fear of prying eyes.

    • by varargs (2260180) on Monday November 19, 2012 @09:05PM (#42034627)
      Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.
      • Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.

        Actually, he'd probably get it the wrong way round and redirect that howling infinite void of /dev/null out to the entire populace of Facebook - instantly terminating, unending nothingness piped through smartphones and laptops and desktop computers, straight into the uncomprehending, newly-obliterated minds of the social networking masses.

        Still, everyone would find it an improvement over the previous service.

    • by roc97007 (608802)

        "[...] I could finally bare every detail of my life to strangers without fear of prying eyes"

      Um.... um... where do I begin...

    • by UCFFool (832674)
      I know you are just being amusing, but the joy of HTTPS-Everywhere [eff.org] is, well, default everywhere.
  • No big deal (Score:4, Insightful)

    by Sarten-X (1102295) on Monday November 19, 2012 @08:55PM (#42034517) Homepage

    Of course, the biggest security vulnerability is on one end of the connection, and the biggest threat to privacy is on the other. HTTPS won't help much for those.

    • I think you should see it the other way around. For me HTTPS is more about privacy than security... Having my connection encrypted prevent my company, ISP, governments or any routers between to know what I'm doing. Security is usually, as you said, related to your computer or the web site getting hacked or not. IMO the web should https by default.
      • by ark1 (873448)
        Problem is whatever you upload to Facebook should be considered as exposed/compromised even if you set your privacy settings otherwise. You just know sooner or later another Facebook screw up will occur and information meant to remain private will be made public.
  • by rduke15 (721841) <rduke15@g m a il.com> on Monday November 19, 2012 @09:24PM (#42034831)

    This is really sad news. My driftnet/webcollage [ex-parrot.com] screen in my living room will get boring if it gets starved of all the neighbours' Facebook activity. https is killing all the fun!

  • That's nice (Score:4, Insightful)

    by viperidaenz (2515578) on Monday November 19, 2012 @09:26PM (#42034849)
    Maybe they just want to make it harder for 3rd parties to see their traffic. Browsers won't show https url's as a referer, so advertisers can't audit their click rates.
  • Facebook doesn't want anybody else stealing your data.

  • Glad the populace on there will enjoy HTTPS as I have been explicitly been using for years now. I never wanted my pesky network admins sitting on the wire and watching what I post when I am at work ... errrrr on break ... errr I mean ...
  • They still encourage you to air all your soon-to-be-former-friends' laundry and sell their identities for entertainment.
  • Will https add any latency to site navigation?
    • by heypete (60671)

      I've opted to use https only on Facebook for a year or so and haven't noticed any discernible difference.

    • A few things that may help on Palemoon and Firefox :

      Make sure SSL pages gets cached,
      browser.cache.disk_cache_ssl;true

      Pipeline the SSL too,
      network.http.pipelining.ssl;true

      TorBrowser uses this,
      security.ssl.enable_false_start;true

      And as always, reduce some traffic bloat,
      dom.storage.enabled;false
      gfx.downloadable_fonts.enabled;false
      browser.chrome.image_icons.max_size;16
      general.useragent.override;Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0

      If you want, at

  • Except, if you are at the end of a corporate proxy, your encrypted session can be easily eavesdropped on .. link [crypto.com]
  • by Phoenix (2762) on Tuesday November 20, 2012 @08:32AM (#42039197)

    Last year I succumbed to Facebook's nagging and I finally opted to raise my security to the HTTPS setting. Largely to shut it the @#$% up.

    Nagging was worse than ad-supported software.

    However once I did that my troubles began. None of the games I played would run under the HTTPS and instructed me to drop back to the HTTP security. However once I did that, Facebook was nagging me "Did I really want to do that?" and "Are you certain that this is wise? The higher security is better to protect your identity".

    After several attempts I gave it up and left it at the HTTPS setting. Haven'y played a Facebook game or ran a Facebook app since.

    So my question is...what's going to happen to all the people who are addicted to all the apps and games? Will they *finally* run under the higher security setting? Or are we going to hear the wailing and gnashing of teeth as people start going into withdrawal when they can't check on their farms to see if they got the magical macguffin of the week?

    [I didn't notice that my comp was logged off of my account and posted it as an anon-coward]

    • Facebook used to allow apps/games to optionally provide a secure URL to be used when a user was logged in via https but it was up to the developer to determine if https was supported or not. Because SSL = the need to purchase a certificate many did not, but it's now required that a secure URL be provided.
    • I suppose they'll be forced to finally support their app on HTTPS, like they should have done two years ago.

  • Britney Braindead:
    "OMG peepz Justin Bieber is on the morning show... switch channels RIGHT NOW!!!"
    2 minutes ago

    SSL... is it really necessary?

Recursion is the root of computation since it trades description for time.

Working...