HTTPS, or Hypertext Transfer Protocol Secure, is now the default for all Facebook users, putting the wraps on a process the social network started last November, Software Engineer Scott Renfro announced in a note on the Facebook Engineering page.
Facebook first introduced HTTPS as an option two years ago, and the difference between HTTPS and traditional HTTP Web browsing is the use of Transport Layer Security, formerly known as Secure Sockets Layer, which makes communication between browsers and the social network’s servers more secure.
With HTTPS having been in use in Facebook’s native applications for iOS and Android for quite some time, nearly all traffic to www.facebook.com arrives via secure connections, along with about 80 percent of traffic to m.facebook.com.
Renfro wrote in the note on the Facebook Engineering page:
Switching to https is more complicated than it might seem. It’s not simply a matter of redirecting from http://www.facebook.com to https://www.facebook.com. We thought it’d be useful to walk through some changes we’ve already made and some improvements that we’re still working on.
He then proceeded to detail the steps the social network tool to address:
- The secure attribute for authentication cookies.
- Insecure indicator cookies.
- Third-party platform applications, of which he wrote, “Understandably, browsers don’t render insecure content as part of an HTTPS page. Because we embed third-party platform applications inside of iframes, we needed to get all platform applications to upgrade their apps to support HTTPS. This was treated as a 90-day breaking change for platform applications, and we actually gave developers 150 days to get a certificate and upgrade their application to HTTPS.”
- Controlling referrer headers.
- Migration and in-flight upgrades.
How will the conversion to HTTPS affect Facebook’s performance? Renfro wrote:
One of the biggest challenges in enabling HTTPS by default is performance. In addition to the network round trips necessary for your browser to talk to Facebook servers, HTTPS adds additional round trips for the handshake to set up the connection. A full handshake requires two additional round trips, while an abbreviated handshake requires just one additional round trip. An abbreviated handshake can only follow a successful full handshake.
For example, if you’re in Vancouver, where a round trip to Facebook’s Prineville, Ore., data center takes 20 milliseconds, then the full handshake only adds about 40 ms, which probably isn’t noticeable. However, if you’re in Jakarta, where a round trip takes 300 ms, a full handshake can add 600 ms. When combined with an already slow connection, this additional latency on every request could be very noticeable and frustrating. Thankfully, we’ve been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes.
He also went into detail on some further changes Facebook plans to implement, and Renfro concluded:
Turning on HTTPS by default is a dream come true, and something Facebook’s traffic, network, security infrastructure, and security teams have worked on for years. We’re really happy with how much of Facebook’s traffic is now encrypted, and we are even more excited about the future changes we’re preparing to launch.
Readers: Had you already voluntarily made the switch to HTTPS?
Image courtesy of Shutterstock.