Facebook Pushes All Users Onto More Secure Connection By Default
It has been more than two years since Facebook made it possible for users to enable a secure "https" connection for their account, something that had the side-effect of slightly longer loading times and reduced chances of hackery on public networks. Starting today, the social network will be making secure browsing its default following work on speeding it up and increasing compatibility.
According to Facebook, with this change 80-percent of the social network's mobile browser traffic and "virtually all" of its desktop browser traffic is done with a secure connection. Some devices and gateways don't support https, however, something Facebook says it is working with vendors on. For those affected by this, the session is downgraded when applicable.
As part of the process of switching over to the secure connection, Facebook says cookies were set with a Set-Cookie header for sending only for https requests. For insecure requests, the social network sends a csm cookie sans authentication, prompting a redirect to a secure connection for the proper cookies needed. As far as referrer headers go, Facebook redirects through an http page to keep private data secure, with the exception Chrome, which offers meta referrer as an alternative.
As far as third-party content goes, Facebook says that it gave its developers 150 days to update their apps and secure a certificate. The migration for users is taking place as a two-part process, which involves pushing sessions to the secure connection while the network is being used, meaning logging out and back in isn't necessary.
Facebook has also addressed performance concerns, saying that it has dealt with latency issues via a combination of abbreviated handshakes and an infrastructure upgrade. Edge networks, load balancers, and "various techniques" have all been deployed to help keep performance up. More improvements are slated to be released this autumn, bringing with them increased security.
SOURCE: Facebook