Facebook’s new security feature will automatically send you to HTTPS versions of HTTP web pages by implementing HSTS Preloading.
Not just Google, now Facebook has also started showing its preference to HTTPS over HTTP. The company recently said in a blog post that it’s implementing HSTS preloading across Facebook and Instagram to ensure that links opened by users on its platforms are opened almost always in HTTPS.
A software engineer of Facebook data privacy team, Jon Millican said,
“We have recently upgraded our link security infrastructure to include HSTS preloading, which automatically upgrades HTTP links to HTTPS for eligible websites. This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.”
HSTS preloading, in case you don’t know, stands for HTTP Strict Transport Security preloading. The feature opens all links posted as HTTP over HTTPS protocol whenever possible. So from now on even if someone posts a link on Facebook with HTTP, the visitors who open that link will be automatically redirected to HTTPS version of the link if it’s available.
Jon Millican also stated on eWEEK:
“We understand that many people still use browsers that don’t support HSTS, and so we’re working to ensure that their first connection to supported websites is secure.”
Facebook could also have re-written the links posted as HTTP on its websites, but that would have made the links broken for all those sites which for some reason are still stuck to HTTP. So the company decided to do it this way, which would achieve the required goal without hampering the user experience in any way.
To implement the feature Facebook is using a list of known sites that conform to all major HTTPS best practices. The list is Chromium preload list, which is used by most browsers to implement the feature. However, for better experience company has also prepared a similar list on its own by crawling the HTTP headers of websites across the web. Both lists are updated regularly to ensure the proper functioning of the feature.
HTTPS adoption on the rise
The adoption of HTTPS is rising significantly since last two years. Ever since Google started nudging website owners to implement HTTPS by downranking them in search results and flagging their websites as ‘Not Secure’ in Chrome browser, the internet community started taking HTTPS seriously. Cisco’s 2017 Annual Cyber Security Report revealed that 50% of all traffic on the web is now over HTTPS, and Transparency Report of Google disclose that 80% of web pages loaded over HTTPS in Google Chrome last year were over HTTPS.
Facebook’s latest implementation of HSTS Preloading can take these figures to the next level and make the web more secure, thanks to the large size of its social network and the amount of time that people spend on its platforms.