Facebook bumps up links to HTTPS to boost online security

The platform's link security infrastructure now includes HSTS preloading.
Written by Charlie Osborne, Contributing Writer

Video: Fearing scams, Facebook bans cryptocurrency ads

Facebook has upgraded its link infrastructure to bolster security online.

The social network catered for roughly 2.13 billion monthly active users in Q4 2017. With an international user base that is rising each year, Facebook now has a greater responsibility to ensure visitors are kept as safe as possible -- both when on the platform, and leaving it.

According to Jon Millican, a software engineer for Facebook's Data Privacy team, introducing HTTPS security upgrades is part of this responsibility.

In a blog post, the engineer said this week that HSTS preloading has now been added to link infrastructure, which will automatically convert HTTP links to HTTPS when possible.

Hyper Text Transfer Protocol Secure (HTTPS) is a more secure version of HTTP as communication between websites and visitors is encrypted. HTTP Strict Transport Security (HSTS) is a domain feature, which, when enabled, can refuse browser requests made over HTTP to maintain this security standard.

Facebook has also included preloading, which should not impact the speed or efficiency of accessing links from Facebook or Instagram.

The company uses two sources to determine which links can be upgraded to HTTPS. The Chromium preload list is the main source as it is used by many major browsers and is updated on a regular basis. In addition, Facebook pulls information from its own platform in the form of recorded HSTS headers from websites shared across the network.

"If you run a website which does not yet support HTTPS, we strongly encourage you to begin doing so, and to enable HSTS while you're at it," Millican says.

The change may be a small one, but it is important. Countless external links are shared on Facebook and Instagram every day, and when connections are only made via HTTP, unsecured websites may expose user traffic to surveillance, snooping, and Man-in-The-Middle (MITM) attacks.

The change may also encourage webmasters to adopt HTTP protocols for domains under their control. Facebook already sponsors Let's Encrypt, a free TLS certificate provider which provides a guide to enable HTTPS on website domains.

Read also: BlackBerry sues Facebook for infringing on messaging patents

Users who are concerned about HTTP connections also have the option to download the Electronic Frontier Foundation (EFF) HTTPS Everywhere extensions, which overwrites visitor requests to enable HTTPS whenever possible.

10 things you didn't know about the Dark Web

Related stories

Editorial standards