Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Switching To HTTPS By Default

Posted by Unknown on from the single-party-spying dept.

Trailrunner7 writes "Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS."

52 of 92 comments (clear)

  1. Need password by jfdavis668 · · Score: 4, Insightful

    Would be helpful if I didn't need a password to read the linked article.

    1. Re:Need password by arobatino · · Score: 2

      It's a typo. Remove the trailing apostrophe in the URL.

    2. Re:Need password by TheInternetGuy · · Score: 4, Informative

      It's a typo. Remove the trailing apostrophe in the URL.

      Still not working here. I need to go to;
      https://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912

      --
      If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
    3. Re:Need password by Anonymous Coward · · Score: 2, Funny

      Aww, you mad? Did you buy Facebook stock?

  2. How long does it take to get a cert? by fsck1nhippies · · Score: 1

    I can't believe this would be considered news? Facebook figures out how to do a redirect to a HTTPS page. No wonder their IPO was a flop... It will be amazing if they are here in a year.

    1. Re:How long does it take to get a cert? by Culture20 · · Score: 4, Insightful

      They've had a cert (and an https only option) for years. They apparently finally have the computing power to make it default ( it's not free to encrypt every little transaction, and their pages auto update).

    2. Re:How long does it take to get a cert? by TheRealGrogan · · Score: 3, Informative

      Yes, I don't like the use of https where it's not needed. It's more overhead all around and YES it matters on busy servers and slow, high latency links. It can also meant he difference between accessing and not accessing the site with a misconfigured router (e.g. wrong MTU on a PPPoE connection can make SSL not work correctly. There's one ISP here that needs packets no larger than 1454 bytes or there's trouble signing into various services. The default on the routers is 1492 for PPPoE, which is supposed to be correct but gets people every time. The ISP doesn't "support" routers, unless they supply, configure and lock you out of them. So I get service calls over that all the time)

      I do not need SSL on Google. Like I give a fuck if people snoop my search phrases. (I'll search for "kiss my ass" just in case the bogey man is listening) I would want SSL for signing in to, say, Gmail or something but I don't need it for all communications. Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

    3. Re:How long does it take to get a cert? by ewieling · · Score: 4, Insightful

      If you only use SSL when you have something to protect, then you are telling any attacker (including a government "attacker") exactly which data you think is important.

      --
      I really shouldn't have used someone else's email address for this account.
    4. Re:How long does it take to get a cert? by LordLimecat · · Score: 1

      Now that Google has carried the https over to Youtube, some silly browsers (e.g. IE8) prompt on the loading of every damned page because there's a mix of secure and non secure content. Really smart.

      Im glad youre not in charge of making browsers. The reason thats a big deal is because when you request an SSL page that has a valid cert, the assumption is that your connection is secure from MITMs. If some of the content on the page is insecure, the value of SSL is basically nil: someone can inject html / js that overlays the secure content, so instead of putting usernames / passwords into a secure submission form you are putting it into the attackers overlaid insecure submission form. Once you press submit, that data is transmitted in the clear, you likely get an error page asking you to try again, and the attacker now has all your info.

      Thats why all browsers with a clue let you know about that gigantic, ridiculous, glaring security hole with mixed content.

    5. Re:How long does it take to get a cert? by LordLimecat · · Score: 1

      Not just intel. Use a modern AMD processor or any Xeon E3 or above, and you can hit in excess of 10gbit/sec of AES traffic thru the processor alone (not even counting accelerators). I understand there are PCIe accelerators out there by Exar that can give a pretty substantial boost as well.

    6. Re:How long does it take to get a cert? by LordLimecat · · Score: 3, Insightful

      You mean those same governments whose root certs are already in 90% of computer trust chains?

      Protip: your computer very likely trusts a root cert from a Chinese company with "strong" ties to their government. Sleep well.

    7. Re:How long does it take to get a cert? by heypete · · Score: 2, Insightful

      Indeed. The "heavy" part of SSL is doing the connection setup and exchange as it uses asymmetric algorithms like RSA or Diffie-Hellman for key exchange. The actual bulk encrypted transport is relatively lightweight. It never made much sense to me to spend the cycles to setup a secure connection, use it for protecting the login/password, and then dropping back to an insecure page when you could just keep the same connection secure for minimal additional resources.

    8. Re:How long does it take to get a cert? by fa2k · · Score: 1

      That's not a problem though, as they will not be able to read it anyway. All they know is what server you connected to and the size, number and time of packets in each direction. [Also read comment below, your attacker may have access to a root CA. I'd mod that up if I had mod points.] One benefit of encrypting unimportant traffic, apart from the actual security benefits like when using open WLANs, is that it makes it much more difficult to block specific pages.

    9. Re:How long does it take to get a cert? by TheRealGrogan · · Score: 1

      In this case none of that content needs to be encrypted in the first place. This isn't your bank, it's just a video site.

      I have noticed the problem only with IE8. I suppose that nobody else except you and it, have a clue?

      It is probably erroneous.

    10. Re:How long does it take to get a cert? by LordLimecat · · Score: 2

      No, computer. Browsers tend to use the system trusted root cert info. On OSX you install certs to the system certificate chain to get SSL errors to disappear in your browser, email, etc. Ditto on Windows for RDP, email, browsing, and VPNs (SSTP).

      Firefox may be the odd man out-- I believe it uses its own internal trusted roots list.

    11. Re:How long does it take to get a cert? by LordLimecat · · Score: 1

      Youtube uses your google account for login. I really dont think you want your gmail credentials out in the open.

      And Chrome WILL warn you if there is mixed content-- they just do it with an icon rather than a popup. The popup you noticed originated at least as far back as IE6, and possibly earlier.

    12. Re:How long does it take to get a cert? by dajjhman · · Score: 3, Insightful

      Actually, without SSL Man in the Middle Attacks are very problematic. As a security researcher, I can tell you that it is very easy to cause mayhem with http-based traffic for facebook. We'd launch a proxy on the network, and funnel traffic through it. With no security, we could, for example, change the destination and content of messages, and see everything.

      --
      The man who cannot imagine a horse galloping on a tomato is an idiot - Andre Breton
    13. Re:How long does it take to get a cert? by asdf7890 · · Score: 1

      Nope. Not just your browser. Your browser, your OS & some of its support libraries that many other apps may use.

    14. Re:How long does it take to get a cert? by ewieling · · Score: 1

      If the government wants to read my SSL traffic badly enough they will find a way. I'm not concerned about the NSA, CIA, Military, etc. If they take an interest in me, then I'm totally fucked anyway. I'm concerned with the rest of the government, I want them to work just a little harder to get access to my data. Think of it like locks on doors. They won't keep out a determined thief, but they are not intended to. They are intended to make you less of a target than your neighbors. i.e. you are making the thief work just a little harder to steal your stuff than your neighbors stuff. Fortunately I'm a nobody. I don't do stuff to piss off the government and I hope they never think I'm associated with someone who does piss off the government.

      --
      I really shouldn't have used someone else's email address for this account.
    15. Re:How long does it take to get a cert? by TheRealGrogan · · Score: 1

      No, I am saying that IE8 is erroneously putting up that message. I know what it means and yes, it's been around much earlier than IE6. I think I remember it in Netscape even.

      I don't sign in to youtube. I don't sign in to Google. I opted out of all the social networking tripe. (I forget what they call it, but there's a central site you can use to opt out of Google Everything all at once, and only keep what you want.) I have a disposable Gmail account, with completely false information that I log in to maybe once every few months (or if I'm expecting correspondence) and then I log out of it.

      So no, I really don't care to have my searches over SSL. It's just unnecessary overhead. I also don't care to read mailing list archives or download source code over SSL either.

  3. Link to article has extra character at end by mcl630 · · Score: 5, Informative

    The proper link is:

    https://threatpost.com/en_us/blogs/facebook-enabling-https-default-north-american-users-111912

    1. Re:Link to article has extra character at end by jfdavis668 · · Score: 1

      Thank you.

    2. Re:Link to article has extra character at end by M0j0_j0j0 · · Score: 2

      Pick your poison.

    3. Re:Link to article has extra character at end by YodasEvilTwin · · Score: 1

      Is 0.01 seconds on a single attempt what you consider "significant"? Because it's not. Try a statistically meaningful number of attempts with either (a) a larger file where hiccups have less effect on the total time or (b) real-world usage with multiple assets of various sizes.

  4. power by Anonymous Coward · · Score: 3, Interesting

    wonder what the implications are from a power consumption perspective?

    1. Re:power by Alien+Being · · Score: 3, Insightful

      I don't know but I'm sure the waste ratio hasn't increased from 100%.

  5. SSL hardware acceleration? by timeOday · · Score: 2

    Anybody know if facebook is using any hardware SSL acceleration? Or is throwing more commodity CPUs at it the better choice?

    1. Re:SSL hardware acceleration? by Hadlock · · Score: 4, Informative

      Crystal Forest is supposed to have SSL acceleration built in. Ivy Bridge (2012) has AES acceleration built in on midrange i5s and up, and I think AES was supported by some processors as early as Sandy Bridge (2011). Crystal Forest is a platform rather than microarchitecture, and I'm not sure exactly when it will be released.

      --
      moox. for a new generation.
    2. Re:SSL hardware acceleration? by SuperQ · · Score: 1

      With modern machines you only spend about 2% of your CPU handling the HTTPS part of the transaction, especially with HTTPS connection re-use handling. Back when they first started enabling HTTPS I calculated that it might take one more rack of machines to handle all the HTTPS needs for facebook in a worst-case situation. One rack is a drop in the bucket for the http front ends these days for service as big as facebook.

  6. Thanks, Facebook. by pushing-robot · · Score: 5, Funny

    Twitter did it a while back. Facebook finally jumped on the bandwagon. Now if only ChatRoulette would follow suit, I could finally bare every detail of my life to strangers without fear of prying eyes.

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:Thanks, Facebook. by varargs · · Score: 4, Funny

      Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.

    2. Re:Thanks, Facebook. by roc97007 · · Score: 1

        "[...] I could finally bare every detail of my life to strangers without fear of prying eyes"

      Um.... um... where do I begin...

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    3. Re:Thanks, Facebook. by UCFFool · · Score: 1

      I know you are just being amusing, but the joy of HTTPS-Everywhere is, well, default everywhere.

      --
      "The more pity, that fools may not speak wisely what wise men do foolishly" - Touchstone,Shakespeare's "As You Like It"
    4. Re:Thanks, Facebook. by Ford+Prefect · · Score: 1

      Zuckerborg would be a hero in my book if he would redirect all of facebook to /dev/null.

      Actually, he'd probably get it the wrong way round and redirect that howling infinite void of /dev/null out to the entire populace of Facebook - instantly terminating, unending nothingness piped through smartphones and laptops and desktop computers, straight into the uncomprehending, newly-obliterated minds of the social networking masses.

      Still, everyone would find it an improvement over the previous service.

      --
      Tedious Bloggy Stuff - hooray?
  7. No big deal by Sarten-X · · Score: 3, Insightful

    Of course, the biggest security vulnerability is on one end of the connection, and the biggest threat to privacy is on the other. HTTPS won't help much for those.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  8. It's not about security but more privacy by JcMorin · · Score: 2

    I think you should see it the other way around. For me HTTPS is more about privacy than security... Having my connection encrypted prevent my company, ISP, governments or any routers between to know what I'm doing. Security is usually, as you said, related to your computer or the web site getting hacked or not. IMO the web should https by default.

    1. Re:It's not about security but more privacy by ark1 · · Score: 1

      Problem is whatever you upload to Facebook should be considered as exposed/compromised even if you set your privacy settings otherwise. You just know sooner or later another Facebook screw up will occur and information meant to remain private will be made public.

  9. So my Driftnet screen will go black? by rduke15 · · Score: 3, Interesting

    This is really sad news. My driftnet/webcollage screen in my living room will get boring if it gets starved of all the neighbours' Facebook activity. https is killing all the fun!

    1. Re:So my Driftnet screen will go black? by flyingfsck · · Score: 1

      You could display chatroulette on your picture frame. It would be much the same thing...

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  10. That's nice by viperidaenz · · Score: 3, Insightful

    Maybe they just want to make it harder for 3rd parties to see their traffic. Browsers won't show https url's as a referer, so advertisers can't audit their click rates.

  11. They don't like competition by Hentes · · Score: 1

    Facebook doesn't want anybody else stealing your data.

  12. Yawn ... by drpimp · · Score: 1

    Glad the populace on there will enjoy HTTPS as I have been explicitly been using for years now. I never wanted my pesky network admins sitting on the wire and watching what I post when I am at work ... errrrr on break ... errr I mean ...

    --
    -- Brought to you by Carl's JR
  13. Facebook + Security = WTF? by __aaltlg1547 · · Score: 1

    They still encourage you to air all your soon-to-be-former-friends' laundry and sell their identities for entertainment.

  14. Latency to https? by Twinbee · · Score: 1

    Will https add any latency to site navigation?

    --
    Why OpalCalc is the best Windows calc
    1. Re:Latency to https? by heypete · · Score: 1

      I've opted to use https only on Facebook for a year or so and haven't noticed any discernible difference.

  15. Turning on secure browsing be default? by dgharmon · · Score: 1

    Except, if you are at the end of a corporate proxy, your encrypted session can be easily eavesdropped on .. link

    --
    AccountKiller
  16. I have a slight problem with this... by Phoenix · · Score: 3, Interesting

    Last year I succumbed to Facebook's nagging and I finally opted to raise my security to the HTTPS setting. Largely to shut it the @#$% up.

    Nagging was worse than ad-supported software.

    However once I did that my troubles began. None of the games I played would run under the HTTPS and instructed me to drop back to the HTTP security. However once I did that, Facebook was nagging me "Did I really want to do that?" and "Are you certain that this is wise? The higher security is better to protect your identity".

    After several attempts I gave it up and left it at the HTTPS setting. Haven'y played a Facebook game or ran a Facebook app since.

    So my question is...what's going to happen to all the people who are addicted to all the apps and games? Will they *finally* run under the higher security setting? Or are we going to hear the wailing and gnashing of teeth as people start going into withdrawal when they can't check on their farms to see if they got the magical macguffin of the week?

    [I didn't notice that my comp was logged off of my account and posted it as an anon-coward]

    --
    -- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
    1. Re:I have a slight problem with this... by Unknown+Relic · · Score: 1

      Facebook used to allow apps/games to optionally provide a secure URL to be used when a user was logged in via https but it was up to the developer to determine if https was supported or not. Because SSL = the need to purchase a certificate many did not, but it's now required that a secure URL be provided.

    2. Re:I have a slight problem with this... by bill_mcgonigle · · Score: 1

      I suppose they'll be forced to finally support their app on HTTPS, like they should have done two years ago.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  17. Such valuable data by Jaza · · Score: 1

    Britney Braindead:
    "OMG peepz Justin Bieber is on the morning show... switch channels RIGHT NOW!!!"
    2 minutes ago

    SSL... is it really necessary?

  18. Quicker HTTPS by u64 · · Score: 1

    A few things that may help on Palemoon and Firefox :

      Make sure SSL pages gets cached,
    browser.cache.disk_cache_ssl;true

      Pipeline the SSL too,
    network.http.pipelining.ssl;true

      TorBrowser uses this,
    security.ssl.enable_false_start;true

      And as always, reduce some traffic bloat,
    dom.storage.enabled;false
    gfx.downloadable_fonts.enabled;false
    browser.chrome.image_icons.max_size;16
    general.useragent.override;Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0

      If you want, at the cost of stickier browser-fingerprint,
    image.http.accept;*

  19. Re:cap buster by jedwidz · · Score: 1

    HTTPS content can be cached in the browser, and why not?

    You can expect to lose proxy caching though.

    (Unless your corporate proxy is kind enough to decrypt your traffic and then cache it...)