Facebook HTTPS - What is it?

I recently changed my Facebook Account Security settings and switched on secure browsing (I know it's taken me a while). Facebook initially provided the option in January 2011 expanding its HTTPS usage from password transfer to entire site data transfer.

While doing this I thought that it would be worth having a quick look into HTTPS and seeing what changes it was actually bringing to the way that I access Facebook.

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is a combination of the Hypertext Transfer Protocol (the method by which hypertext requests and information between servers and browsers are transferred across the Internet) and the SSL/TLS protocol which is used to provide encrypted communication and secure identification of network web servers.

Secure Sockets Layer (SSL) is the most widely used security protocol on the Internet, it was originally developed by Netscape and aspects of the latest enhancement of SSL 3.0 has been incorporated into the Transport Layer Security (TLS) protocol.

SSL

SSL is based on the premise that when I browse to a trusted site, I want to know that I am talking only to the person that I want to talk too and that my data is not being seen by anybody else.

This trust is achieved by using Certification Authorities and Public Key Infrastructure, the basic idea is that if you have a public key in your possession and you use it to encrypt data, the only system that can decrypt that message is a system that possesses the private key (and vice-versa). PKI is used for authentication.

A part of this process is to set up the encryption. This is negotiated during the SSL protocol's initial handshake - at the same time as calculating authentication. Once this has reached completion, a tunnel is created using a less computationally hungry process known as symmetric key cryptography. At this point the traffic can be deemed as being encrypted.

The System Architecture

The following diagram and paragraph sum up the authentication process perfectly [via SecurityWorkshop]

• When any modern browser is installed, it is sent with several CA issuer certificates. These issuer certificates contain a public key for the issuer, among other information.
• When a web designer decides to use SSL he needs to purchase a certificate that is signed using the CA's private key.
• The web browser starts a connection to an HTTPS site. Along with this request the client sends all supported encryption schemes.
• As a response to the browser's connection request, the Server sends a copy of the certificate from step 2. Along with this transmission is the server's answer to the encryption negotiation.
• Once a certificate is downloaded, the signature of the certificate (that was signed using the CA's private key) is checked using the CA's public key (installed in the browser in step 1 - note that there is no need to use the network for this). No error is thrown if this verification checks out.
• The connection succeeds, the client can now download and upload to the web site with the security of encryption.

Things to Note

You can tell when you are using a secure protocol because:

• The http:// part of URL is replaced by https://
• A padlock will appear in the status bar of the browser.

Modern browsers also give the functionality of inspecting the security certificate to verify the status of the connection

To summarise; the idea behind HTTPS is to create a secure channel over an inherently insecure network. It protects on two levels; certification/verification stops anyone from creating fake websites designed to steal information. On-top of this the encryption means that although outsiders may be able to see that information is being passed between the client and the server, they will not be able to access the contents of the IP packets.

So what changes is this actually bringing to my browsing experience?

It now means that my private information that I'm inputting into Facebook is now protected as it travels across the Internet. It's basically making the process much more secure and my information is less susceptible to attacks by readily available bits of software such as Firesheep. Ultimately it is helping to prevent me from being susceptible to all kinds of data theft.

So why not just use HTTPS when accessing every website?

Having had a look at various blog posts I can gather that while HTTPS is great for secure transactions and dealing with sensitive information across the Internet, it does make website loading slower. This is because everything on the webpage must be encrypted and then decrypted (in the case of Facebook this would be all of the images, adverts etc).

The HTTPS transfer process also means that encryption and decryption must be done on both the client and server sides of the channel, this can be quite CPU intensive.

When it comes down to it, there is really just no need to encrypt the majority of web traffic, because there is no need to waste the extra over-head using HTTPS channels all of the time. However it is important to understand why it is used and when it needs to be implemented.

I'm not aiming to cover HTTPS in it's entirety but merely get a grasp of what it is about and why use it. There is a lot of detail to be found on encryption and HTTPS along with plenty more information across the Web. Gizmodo posted an excellent article on this subject as well and I must finally mention Security Workshop again because of the excellent explanation.