Facebook sets secure browsing (HTTPS) as default
In November, Facebook started to convert its default browsing from unsecured HTTP to secured HTTPS (Hypertext Transfer Protocol Secure). The company announced in a blog post that it has now finished the job of using HTTPS for all Facebook users.
This makes for a secure connection between users and Facebook. When Facebook first started enabling HTTPS, the company found that roughly 1/3 of users opted in. Since November, Facebook worked to make the HTTPS connection faster and more efficient. THe company said Wednesday that all desktop users and 80 percent of traffic through m.facebook.com happen through a secured connection. Native apps have also been using HTTPS.
In the blog post, Facebook’s engineering team walked users through the steps of converting from HTTP to HTTPS, which is more complex than you’d think:
One of the biggest challenges in enabling https by default is performance. In addition to the network round trips necessary for your browser to talk to Facebook servers, https adds additional round trips for the handshake to set up the connection. A full handshake requires two additional round trips, while an abbreviated handshake requires just one additional round trip. An abbreviated handshake can only follow a successful full handshake.
For example, if you’re in Vancouver, where a round trip to Facebook’s Prineville, Oregon, data center takes 20ms, then the full handshake only adds about 40ms, which probably isn’t noticeable. However, if you’re in Jakarta, where a round trip takes 300ms, a full handshake can add 600ms. When combined with an already slow connection, this additional latency on every request could be very noticeable and frustrating. Thankfully, we’ve been able to avoid this extra latency in most cases by upgrading our infrastructure and using abbreviated handshakes.
Facebook also included a graph showing HTTPS adoption since April 2011. The company discovered that adoption reached roughly 35 percent organically before Facebook started actively defaulting to HTTPS.
Image courtesy of Shutterstock.