Facebook Switching To HTTPS By Default

Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."

Need password

[jfdavis668]

Would be helpful if I didn't need a password to read the linked article.

Re:Need password

[arobatino]

It's a typo. Remove the trailing apostrophe in the URL.

Re:Need password

[TheInternetGuy]

It's a typo. Remove the trailing apostrophe in the URL.

Still not working here. I need to go to;
https://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912

Re:Need password

[Alien+Being]

No. The article is a joke. Facebook is a joke.

Re:Need password

Aww, you mad? Did you buy Facebook stock?

How long does it take to get a cert?

[fsck1nhippies]

I can't believe this would be considered news? Facebook figures out how to do a redirect to a HTTPS page. No wonder their IPO was a flop... It will be amazing if they are here in a year.

Re:How long does it take to get a cert?

Did you say the same when Google did this last year, or are you just a fucking moron?

Re:How long does it take to get a cert?

[Culture20]

They've had a cert (and an https only option) for years. They apparently finally have the computing power to make it default ( it's not free to encrypt every little transaction, and their pages auto update).

Re:How long does it take to get a cert?

it costs to decrypt too, and is significant on arm cpus, which there are plenty of on phones and tablets!

Re:How long does it take to get a cert?

[TheRealGrogan]

Yes, I don't like the use of https where it's not needed. It's more overhead all around and YES it matters on busy servers and slow, high latency links. It can also meant he difference between accessing and not accessing the site with a misconfigured router (e.g. wrong MTU on a PPPoE connection can make SSL not work correctly. There's one ISP here that needs packets no larger than 1454 bytes or there's trouble signing into various services. The default on the routers is 1492 for PPPoE, which is supposed to be correct but gets people every time. The ISP doesn't "support" routers, unless they supply, configure and lock you out of them. So I get service calls over that all the time)

I do not need SSL on Google. Like I give a fuck if people snoop my search phrases. (I'll search for "kiss my ass" just in case the bogey man is listening) I would want SSL for signing in to, say, Gmail or something but I don't need it for all communications. Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

Re:How long does it take to get a cert?

[ewieling]

If you only use SSL when you have something to protect, then you are telling any attacker (including a government "attacker") exactly which data you think is important.

Re:How long does it take to get a cert?

Google disagrees. http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

"SSL/TLS is not computationally expensive any more."

Re:How long does it take to get a cert?

The authentication cookie is what needs protecting.

Re:How long does it take to get a cert?

[LordLimecat]

Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

Im glad youre not in charge of making browsers. The reason thats a big deal is because when you request an SSL page that has a valid cert, the assumption is that your connection is secure from MITMs. If some of the content on the page is insecure, the value of SSL is basically nil: someone can inject html / js that overlays the secure content, so instead of putting usernames / passwords into a secure submission form you are putting it into the attackers overlaid insecure submission form. Once you press submit, that data is transmitted in the clear, you likely get an error page asking you to try again, and the attacker now has all your info.

Thats why all browsers with a clue let you know about that gigantic, ridiculous, glaring security hole with mixed content.

Re:How long does it take to get a cert?

[LordLimecat]

Not just intel. Use a modern AMD processor or any Xeon E3 or above, and you can hit in excess of 10gbit/sec of AES traffic thru the processor alone (not even counting accelerators). I understand there are PCIe accelerators out there by Exar that can give a pretty substantial boost as well.

Re:How long does it take to get a cert?

[LordLimecat]

You mean those same governments whose root certs are already in 90% of computer trust chains?

Protip: your computer very likely trusts a root cert from a Chinese company with "strong" ties to their government. Sleep well.

Re:How long does it take to get a cert?

You do need it. Google services transfer your session id back and forth all the time, you can't ssl it "a bit". That's how the interwebz work, sorry; feel free to choose a different mail provider, search engine and social network.

Re:How long does it take to get a cert?

I do not need SSL on Google. Like I give a fuck if people snoop my search phrases. (I'll search for "kiss my ass" just in case the bogey man is listening) I would want SSL for signing in to, say, Gmail or something but I don't need it for all communications. Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

Google is Gmail, YouTube, Google Search, Google Maps, Google Calendar, Google Shopper, Google Play, Google+, Google Drive, Google Reader, Google Wallet and of course Google Chrome, plus more. Of those, many should require SSL by default.

If I create an event such as an actual meeting in Google Calendar for only a few people on Google+ to see such as coworkers, I'd rather it be encrypted to further ensure snooping parties can't know about it. Otherwise filling in where it is taking place could be a privacy concern. Google Maps allows you to save locations such as home and workplace. Encrypt that to help prevent stalking. Gmail should of course be secure for obvious reasons. YouTube is like Google Search (and Google Image Search of course): all you're doing is entering search queries. Of course, something like "20 ways to kill your boss" could obviously be a scary thing. Funny thing is that you'd be searching for a game called Whack Your Boss.

You probably need SSL more than you think, especially when features are added that could compromise your personal safety due to revealing your physical location in some way. Even checking into a place on Google+ or Facebook or Google Latitude or something similar could cause a problem for you without SSL.

Now if you'll excuse me, I have a tinfoil hat to put on.

Re:How long does it take to get a cert?

[heypete]

Indeed. The "heavy" part of SSL is doing the connection setup and exchange as it uses asymmetric algorithms like RSA or Diffie-Hellman for key exchange. The actual bulk encrypted transport is relatively lightweight. It never made much sense to me to spend the cycles to setup a secure connection, use it for protecting the login/password, and then dropping back to an insecure page when you could just keep the same connection secure for minimal additional resources.

Re:How long does it take to get a cert?

[fa2k]

That's not a problem though, as they will not be able to read it anyway. All they know is what server you connected to and the size, number and time of packets in each direction. [Also read comment below, your attacker may have access to a root CA. I'd mod that up if I had mod points.] One benefit of encrypting unimportant traffic, apart from the actual security benefits like when using open WLANs, is that it makes it much more difficult to block specific pages.

Re:How long does it take to get a cert?

[TheRealGrogan]

In this case none of that content needs to be encrypted in the first place. This isn't your bank, it's just a video site.

I have noticed the problem only with IE8. I suppose that nobody else except you and it, have a clue?

It is probably erroneous.

Re:How long does it take to get a cert?

Protip: your browser very likely trusts a root cert from a Chinese company with "strong" ties to their government. Sleep well.

FIFY

Re:How long does it take to get a cert?

[LordLimecat]

No, computer. Browsers tend to use the system trusted root cert info. On OSX you install certs to the system certificate chain to get SSL errors to disappear in your browser, email, etc. Ditto on Windows for RDP, email, browsing, and VPNs (SSTP).

Firefox may be the odd man out-- I believe it uses its own internal trusted roots list.

Re:How long does it take to get a cert?

[LordLimecat]

Youtube uses your google account for login. I really dont think you want your gmail credentials out in the open.

And Chrome WILL warn you if there is mixed content-- they just do it with an icon rather than a popup. The popup you noticed originated at least as far back as IE6, and possibly earlier.

Re:How long does it take to get a cert?

[dajjhman]

Actually, without SSL Man in the Middle Attacks are very problematic. As a security researcher, I can tell you that it is very easy to cause mayhem with http-based traffic for facebook. We'd launch a proxy on the network, and funnel traffic through it. With no security, we could, for example, change the destination and content of messages, and see everything.

Re:How long does it take to get a cert?

[asdf7890]

Nope. Not just your browser. Your browser, your OS & some of its support libraries that many other apps may use.

Re:How long does it take to get a cert?

[ewieling]

If the government wants to read my SSL traffic badly enough they will find a way. I'm not concerned about the NSA, CIA, Military, etc. If they take an interest in me, then I'm totally fucked anyway. I'm concerned with the rest of the government, I want them to work just a little harder to get access to my data. Think of it like locks on doors. They won't keep out a determined thief, but they are not intended to. They are intended to make you less of a target than your neighbors. i.e. you are making the thief work just a little harder to steal your stuff than your neighbors stuff. Fortunately I'm a nobody. I don't do stuff to piss off the government and I hope they never think I'm associated with someone who does piss off the government.

Re:How long does it take to get a cert?

[TheRealGrogan]

No, I am saying that IE8 is erroneously putting up that message. I know what it means and yes, it's been around much earlier than IE6. I think I remember it in Netscape even.

I don't sign in to youtube. I don't sign in to Google. I opted out of all the social networking tripe. (I forget what they call it, but there's a central site you can use to opt out of Google Everything all at once, and only keep what you want.) I have a disposable Gmail account, with completely false information that I log in to maybe once every few months (or if I'm expecting correspondence) and then I log out of it.

So no, I really don't care to have my searches over SSL. It's just unnecessary overhead. I also don't care to read mailing list archives or download source code over SSL either.

Link to article has extra character at end

[mcl630]

The proper link is:

https://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912

Re:Link to article has extra character at end

[jfdavis668]

Thank you.

Re:Link to article has extra character at end

Interesting bug. I wonder if one can exploit this using SQL injection.

Re:Link to article has extra character at end

Or for those who don't believe in encrypting reading articles.

http://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912

I think this whole https by default is terrible myself.

If I compare the load time of http and https for a single image the results are:

[code]
# time curl -O http://sphotos-a.xx.fbcdn.net/hphotos-ash3/550798_439936972722687_1113979556_n.jpg
-abbrev-due-to-slashdot-
curl -O 0.00s user 0.01s system 2% cpu 0.629 total

versus

# time curl -O https://sphotos-a.xx.fbcdn.net/hphotos-ash3/550798_439936972722687_1113979556_n.jp
-abbrev-due-to-slashdot-
curl -O 0.00s user 0.02s system 1% cpu 1.107 total
[/code]

Both of them being served from a Facebook CDN in San Jose?

For some reason I've randomly had Facebook utilise https links in the past and I've already tried opting out of HTTP. I figure, Facebook are the bad guys -- what could be worse than someone else intercepting the contents?

I had to remove the content of curl due to slashdot.

Re:Link to article has extra character at end

[M0j0_j0j0]

Pick your poison.

Re:Link to article has extra character at end

[YodasEvilTwin]

Is 0.01 seconds on a single attempt what you consider "significant"? Because it's not. Try a statistically meaningful number of attempts with either (a) a larger file where hiccups have less effect on the total time or (b) real-world usage with multiple assets of various sizes.

power

wonder what the implications are from a power consumption perspective?

Re:power

They should have a dedicated server for encryption and caching. With a dedicated encryption card, this server should be able to handle 10,000s of connections easily. The overall power consumption should be the same.

Re:power

So you're saying the encryption processor consumes absolutely no power at all?

Re:power

In the scheme of things, absolutely. My bet would be on ~0.01% more power consumption. Low enough to be rounding error.

Re:power

[Alien+Being]

I don't know but I'm sure the waste ratio hasn't increased from 100%.

SSL hardware acceleration?

[timeOday]

Anybody know if facebook is using any hardware SSL acceleration? Or is throwing more commodity CPUs at it the better choice?

Re:SSL hardware acceleration?

[Hadlock]

Crystal Forest is supposed to have SSL acceleration built in. Ivy Bridge (2012) has AES acceleration built in on midrange i5s and up, and I think AES was supported by some processors as early as Sandy Bridge (2011). Crystal Forest is a platform rather than microarchitecture, and I'm not sure exactly when it will be released.

Re:SSL hardware acceleration?

[SuperQ]

With modern machines you only spend about 2% of your CPU handling the HTTPS part of the transaction, especially with HTTPS connection re-use handling. Back when they first started enabling HTTPS I calculated that it might take one more rack of machines to handle all the HTTPS needs for facebook in a worst-case situation. One rack is a drop in the bucket for the http front ends these days for service as big as facebook.

Re:SSL hardware acceleration?

A10networks.

No, multiple CPUs it is not a better choice.

      http://www.a10networks.com/products/axseries-product_specifications.php#with_fta

I work with F5, Citrix and A10. hands down A10 leads in terms of price performance - AX5200

Re:SSL hardware acceleration?

Hardware SSL is passé. CPU's are all very fast if not accelerated for it now.

Re:SSL hardware acceleration?

I am sure that the facebook guys have thought this through, but currently facebook.com returns multiple ip addresses (dns round robin) which will cause the client to re-negotiate the ssl handshake every time they hit the facebook.com endpoint. Unless they are sharing the ssl session cache there will be a dramatic performance decrease due to all of the ssl handshakes. Any OS which does not enable dns caching, like linux by default (NSCD sucks:() will see a huge performance hit from this.
Also, the AES-ni will help with throughput, but will not help with the ssl handshakes and in the testing that I did when we switched form a hardware accelerated ssl termination point to a software based one, AES-ni really did not help with the already existing ssl sessions unless there were connections which took more than a few seconds to complete.

Our software based solution is around 20,000 new ssl terminations per second
with 150,000 re-use per second
and I am able to push around 20 Gbps of traffic (with aes-ni of course) 12 Gbps without aes-ni

haproxy is the sweet sauce.

Re:SSL hardware acceleration?

Google has been working on reducing the latency for HTTPS connections. Look up "false start" and "snap start". Basically, the client can skip some steps (partially based on assuming the server response will be the same as before) to reduce the number of round trips needed for HTTPS connections.

Re:SSL hardware acceleration?

Facebook use hardware from F5 Networks. No other vendor has hardware that can scale like F5.

Thanks, Facebook.

[pushing-robot]

Twitter did it a while back. Facebook finally jumped on the bandwagon. Now if only ChatRoulette would follow suit, I could finally bare every detail of my life to strangers without fear of prying eyes.

Re:Thanks, Facebook.

Google needs to do it too, should not be optional.

Re:Thanks, Facebook.

[varargs]

Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.

Re:Thanks, Facebook.

[roc97007]

  "[...] I could finally bare every detail of my life to strangers without fear of prying eyes"

Um.... um... where do I begin...

Re:Thanks, Facebook.

Can we say addition

Re:Thanks, Facebook.

[UCFFool]

I know you are just being amusing, but the joy of HTTPS-Everywhere is, well, default everywhere.

Re:Thanks, Facebook.

[Ford+Prefect]

Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.

Actually, he'd probably get it the wrong way round and redirect that howling infinite void of /dev/null out to the entire populace of Facebook - instantly terminating, unending nothingness piped through smartphones and laptops and desktop computers, straight into the uncomprehending, newly-obliterated minds of the social networking masses.

Still, everyone would find it an improvement over the previous service.

Re:Thanks, Facebook.

Sure, you can add other people to the mayhem too.

No big deal

[Sarten-X]

Of course, the biggest security vulnerability is on one end of the connection, and the biggest threat to privacy is on the other. HTTPS won't help much for those.

It's not about security but more privacy

[JcMorin]

I think you should see it the other way around. For me HTTPS is more about privacy than security... Having my connection encrypted prevent my company, ISP, governments or any routers between to know what I'm doing. Security is usually, as you said, related to your computer or the web site getting hacked or not. IMO the web should https by default.

Re:It's not about security but more privacy

[ark1]

Problem is whatever you upload to Facebook should be considered as exposed/compromised even if you set your privacy settings otherwise. You just know sooner or later another Facebook screw up will occur and information meant to remain private will be made public.

Re:It's not about security but more privacy

If you're running SSL from a company controller computer, realize that they control what CAs are trusted, and so they can do corporate man-in-the-middle proxies to decrypt any SSL traffic. This is commonly done to check for malicious stuff over SSL connections (less so to eavesdrop on employees, but this is, of course, possible).

So my Driftnet screen will go black?

[rduke15]

This is really sad news. My driftnet/webcollage screen in my living room will get boring if it gets starved of all the neighbours' Facebook activity. https is killing all the fun!

Re:So my Driftnet screen will go black?

I wanted to do the same thing with an old first gen digital picture frame. Oh well put the soldering iron away for another day.

Re:So my Driftnet screen will go black?

[flyingfsck]

You could display chatroulette on your picture frame. It would be much the same thing...

Re:So my Driftnet screen will go black?

If there is still an option for normal HTTP traffic on Facebook, you can try using something like SSLStrip to force unencrypted connections. Most users won't notice the lack of an s in the address bar, especially since they never used to have it.

Re:So my Driftnet screen will go black?

If you want a picture frame displaying thousands of live images of random penises, no one is stopping you...

That's nice

[viperidaenz]

Maybe they just want to make it harder for 3rd parties to see their traffic. Browsers won't show https url's as a referer, so advertisers can't audit their click rates.

They don't like competition

[Hentes]

Facebook doesn't want anybody else stealing your data.

Craigslist forums are now https

Not the entire site, just the forums I noticed this change about a week ago, right after the New York attorney general subpoen'd CL for IP addresses of alleged gasoline price gougers. But the for sale and jobs listings are still port 80, so I'm not sure what Craig is after.

http should be banned

HTTP should be banned.

Yes, I know there is an associated cost to it, there's an associated cost to everything, so figure it out. So the CEO might have to get a Porsche instead of Ferrari.

Wah!

Performance implications of HTTPS

Thanks for completely destroying any ability to cache content. Really speeds up the "web experience", because as we all know, with your "Web 2.0" shit it's already blazing fast, right?

Thanks for the added protocol overhead required for certificate and cipher negotiation for every connection. Really speeds things up too! Can't wait for those Location: redirects too, that way I can battle with my browser when clicking the Back button faster than it can get headers!

Thanks for using HTTPS exclusively; it's very important that all those compressed images be transmit securely! Really speeds up loading times for big images, and it's not like sites like Facebook have images at all! *clicks a button and isn't sure what's going on because some Javascript bullshit behind the scenes is doing something, so clicks another button which may or may not do something based on if previous button is still blocking or not*

Thanks for removing any ability to troubleshoot what's going on (by use of Wireshark -- for legit purposes, not nefarious). Really helps debug issues, especially when "abstract frameworks" are used across multiple layers of an infrastructure (front-end to back-end)!

So yes, thanks everyone, for moving to HTTPS entirely! If your concerns were purely about plaintext passwords going across the wire via HTTP, you could have just designed your shit differently while using RFC 2817 for the authentication bits only. But nah, that'd require some brainpower and thinking about all the above implications. Better to just use SSL entirely. Excellent design as a result of fantastic engineering choices.

Cheers!

Captcha: smarted

Re:Performance implications of HTTPS

Disregard that, I suck cocks!

Re:Performance implications of HTTPS

Well I'm glad we cleared that up.

Yawn ...

[drpimp]

Glad the populace on there will enjoy HTTPS as I have been explicitly been using for years now. I never wanted my pesky network admins sitting on the wire and watching what I post when I am at work ... errrrr on break ... errr I mean ...

Re:Yawn ...

Glad the populace on there will enjoy HTTPS as I have been explicitly been using for years now. I never wanted my pesky network admins sitting on the wire and watching what I post when I am at work ... errrrr on break ... errr I mean ...

They can still see your posts. If tyou control the network a MITM exploit is pretty trivial.

awesome!

This means I'll have more exclusive rights to the content shared with my man in the middle attack!

Facebook + Security = WTF?

[__aaltlg1547]

They still encourage you to air all your soon-to-be-former-friends' laundry and sell their identities for entertainment.

Latency to https?

[Twinbee]

Will https add any latency to site navigation?

Re:Latency to https?

[heypete]

I've opted to use https only on Facebook for a year or so and haven't noticed any discernible difference.

opt-in opt-out

Typical FB: opt-in on security when you always have to opt-out on privacy rights?

Now - finally "force-in" on security - really long overdue...

cap buster

all those facebook addicts, all those pageviews and all that content that will no longer be cached by browser.........

Re:cap buster

[jedwidz]

HTTPS content can be cached in the browser, and why not?

You can expect to lose proxy caching though.

(Unless your corporate proxy is kind enough to decrypt your traffic and then cache it...)

Re:wrong!

The IPO was not a flop, yet a huge influx of capital. Even if the stock were to fall to $8 dollars, facebook would still have enough money to continue on trying to integrate facebook into everything. It's really genius how they over valued facebook at 100 billion, yet to have it fall to a valuation of 35 billion which is still over valued by 34.8 billion.

Turning on secure browsing be default?

[dgharmon]

Except, if you are at the end of a corporate proxy, your encrypted session can be easily eavesdropped on .. link

A problem I have with that...

Last year I succumbed to Facebook's nagging and I finally opted to raise my security to the HTTPS setting. Largely to shut it the @#$% up.

Nagging was worse than ad-supported software.

However once I did that my troubles began. None of the games I played would run under the HTTPS and instructed me to drop back to the HTTP security. However once I did that, Facebook was nagging me "Did I really want to do that?" and "Are you certain that this is wise? The higher security is better to protect your identity".

After several attempts I gave it up and left it at the HTTPS setting. Haven'y played a Facebook game or ran a Facebook app since.

So my question is...what's going to happen to all the people who are addicted to all the apps and games? Will they *finally* run under the higher security setting? Or are we going to hear the wailing and gnashing of teeth as people start going into withdrawal when they can't check on their farms to see if they got the magical macguffin of the week?

I have a slight problem with this...

[Phoenix]

Last year I succumbed to Facebook's nagging and I finally opted to raise my security to the HTTPS setting. Largely to shut it the @#$% up.

Nagging was worse than ad-supported software.

However once I did that my troubles began. None of the games I played would run under the HTTPS and instructed me to drop back to the HTTP security. However once I did that, Facebook was nagging me "Did I really want to do that?" and "Are you certain that this is wise? The higher security is better to protect your identity".

After several attempts I gave it up and left it at the HTTPS setting. Haven'y played a Facebook game or ran a Facebook app since.

So my question is...what's going to happen to all the people who are addicted to all the apps and games? Will they *finally* run under the higher security setting? Or are we going to hear the wailing and gnashing of teeth as people start going into withdrawal when they can't check on their farms to see if they got the magical macguffin of the week?

[I didn't notice that my comp was logged off of my account and posted it as an anon-coward]

Re:I have a slight problem with this...

[Unknown+Relic]

Facebook used to allow apps/games to optionally provide a secure URL to be used when a user was logged in via https but it was up to the developer to determine if https was supported or not. Because SSL = the need to purchase a certificate many did not, but it's now required that a secure URL be provided.

Re:I have a slight problem with this...

[bill_mcgonigle]

I suppose they'll be forced to finally support their app on HTTPS, like they should have done two years ago.

Such valuable data

[Jaza]

Britney Braindead:
"OMG peepz Justin Bieber is on the morning show... switch channels RIGHT NOW!!!"
2 minutes ago

SSL... is it really necessary?

man in the middle

This will make no difference to many people who use preconfigured browsers at their place of work. Fake certs for facebook and other sites are inserted into the browser so that the users don't see the man in the middle decoding their traffic.
The average user has no idea this is possible and even those who do know would probably not think to check the certs stored in the browser.

Great!

That's Fantastic! Https will keep those prying eyes away except for the built in Gov't back door to Facebook. Cool :-)

Quicker HTTPS

[u64]

A few things that may help on Palemoon and Firefox :

  Make sure SSL pages gets cached,
browser.cache.disk_cache_ssl;true

  Pipeline the SSL too,
network.http.pipelining.ssl;true

  TorBrowser uses this,
security.ssl.enable_false_start;true

  And as always, reduce some traffic bloat,
dom.storage.enabled;false
gfx.downloadable_fonts.enabled;false
browser.chrome.image_icons.max_size;16
general.useragent.override;Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0

  If you want, at the cost of stickier browser-fingerprint,
image.http.accept;*