November 20, 2012, 8:58 AM — Facebook started encrypting the connections of its North American users by default last week as part of a plan to roll out always-on HTTPS (Hypertext Transfer Protocol Secure) to its entire global user base.
For the past several years, security experts and privacy advocates have called on Facebook to enable always-on HTTPS by default because the feature prevents account hijacking attacks over insecure networks and also stops the governments of some countries from spying on the Facebook activities of their residents.
Despite the feature's security benefits, Facebook announced the start of its HTTPS roll-out in a post on its Developer Blog last week, and not through its security page or its newsroom.
"As announced last year, we are moving to HTTPS for all users," Facebook platform engineer Shireesh Asthana said Thursday in a blog post that also described many other platform changes and bug fixes relevant to developers. "This week, we're starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world."
It's not clear when exactly the roll-out for the rest of the world will start. Facebook did not immediately respond to a request for comment.
The Electronic Frontier Foundation (EFF), a digital rights organizations, welcomed the move via Twitter on Monday describing it as a "huge step forward for encrypting the web."
The EFF has long been a proponent of always-on HTTPS adoption. In collaboration with the Tor Project, creator of the Tor anonymizing network and software, the EFF maintains a browser extension called HTTP Everywhere that forces always-on HTTPS connections by default on websites that only support the feature on an opt-in basis. Twitter, Gmail and other Google services have HTTPS already turned on by default.
Facebook launched always-on HTTPS as an opt-in feature for users in Jan. 2011. However, the initial implementation was lacking because whenever users launched a third-party application that didn't support HTTPS on the website, the entire Facebook connection was switched back to HTTP.
In order to address this problem, in May 2011 Facebook asked all platform application developers to acquire SSL certificates and make their apps HTTPS-compatible by Oct. 1 that same year.
It's not clear why it took the company another year after that deadline expired in order to finally be able to offer always-on HTTPS by default.