Facebook is moving ahead with plans for a full transition to requiring the use of OAuth 2.0 and HTTPS. That begins with the rollout of HTTPS as the default for all North American users this month. These changes will improve user security, but could slow down the user experience as encrypted pages take longer to load than unsecured content. Changes are already underway to implement the changeover.
According to Facebook, “These updates are part of a continual process to make our platform more secure for developers and users.”
Facebook is posting details on the new requirements and implementation of its new policies, primarily in its developer section: developers.facebook.com/blog/. Apps in use on Facebook now will be required to include support for HTTPS. HTTPS layers HTTP on top of the SSL/TLS protocol and provides authentication of the website and Web server a user is communicating with, and keeps the session cookie encrypted to provide protection against man-in-the-middle attacks. Secure Web protocols used to be a technology used mainly for banking and e-commerce.
Developers must now acquire an SSL certificate and follow instructions detailed in Facebook’s evolving “Authentication Guide to Implement OAuth”. OAuth is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site. Requirements detailed in Facebook’s policy guidance include assurance that apps transfer no data ─ user identifications or access tokens for example ─ to third party apps.
This transition is strategically related to various other security initiatives recently initiated by the social networking giant. This month Facebook announced a new partnership with Web of Trust to detect and block bad links; and provide additional clickjacking protection, self-XSS protection and login approvals. Last month, the company rolled out an entire suite of new safety and security tools.
Facebook takes credit for leading the way in implementing OAuth, in addition to contributing deeply to the standard itself, thus increasing security on the Internet by giving people more control over what data can be accessed via APIs. Facebook policies now require developers to use third-party ad providers who have signed terms that govern ad quality and data use. Facebook also is moving quickly to adopt a secure signed-cookie specification in collaboration with Yahoo!, Google and Mozilla.
Facebook announced plans to implement HTTPS in January 2011. That year, Facebook gave users the opportunity to enable HTTPS to protect users’ entire sessions, not just offer protection following password entry. This option is available for users to select through their “account settings” ─ the “account security” section of the “account settings” page. Now HTTPS will be the default setting for all Facebook users.
These requirements signal that comparable security standards are becoming standard for mainstream social networking. Facebook is not the only Web interface moving over to HTTPS. Google opted to turn HTTPS on by default for Gmail in 2010. Early in 2012, Twitter enabled HTTPS by default for all its users.
HTTPS is not foolproof but it does offer an effective layer of security for reducing the risk of data hijacking. Facebook’s movement in this direction is winning hails and kudos from a wide swath of IT blogger pundits.