HTTP Strict Transport Security will force secure connections on eligible domains
On Monday morning, Facebook announced that it had upgraded its link structure to include HSTS preloading. This is great news for a more secure internet as it will help to continue the proliferation of encryption across the internet.
We have recently upgraded our link security infrastructure to include HSTS preloading, which automatically upgrades HTTP links to HTTPS for eligible websites. This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.
If you’re a regular reader, you know that the internet is currently transitioning from unsecure HTTP, to secure HTTPS. Starting this summer with the release of Chrome 66, every website that is still being served unsecurely will be given a negative indicator and issued a warning. For all intents and purposes the unencrypted internet will be dead by 2019.
This move by Facebook helps to accelerate the change.
HSTS or HTTP Strict Transport Security, is an HTTP header that, once downloaded by an internet user, forces all connections with that site to be made securely, via HTTPS.
Typically, you’ll see a website add the HSTS header and then add itself to the HSTS preload list. That list, which is maintained by Google, instructs browsers to make a secure connection with a given URL on its very first attempt to connect. This, in turn, closes a small attack vector wherein an internet user’s system is vulnerable on its first connection, before it can download the header itself.
What Facebook is doing goes a step further. Obviously, one of Facebook’s biggest features is its ability to curate content for its users. I don’t have the statistics, but suffice it to say that every single second, there are countless users following links away from Facebook as they consume content. We’re talking millions of followed links. And now, thanks to Facebook’s HSTS decision, all of them are being enforced via HTTPS. Well, at least all of the links that correspond to a site with a valid SSL certificate, at least.
While it may seem simple, by forcing its users to predominantly follow HTTPS links, Facebook is helping to speed up the proliferation of HTTPS that much faster.
Granted, the links you’re following may have been created by a Russian bot intent on gaslighting you through the midterm elections, but at least your connection is secure.