Facebook Upgrades Link Structure to Include HSTS Preloading
HTTP Strict Transport Security will force secure connections on eligible domains
On Monday morning, Facebook announced that it had upgraded its link structure to include HSTS preloading. This is great news for a more secure internet as it will help to continue the proliferation of encryption across the internet.
We have recently upgraded our link security infrastructure to include HSTS preloading, which automatically upgrades HTTP links to HTTPS for eligible websites. This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.
If you’re a regular reader, you know that the internet is currently transitioning from unsecure HTTP, to secure HTTPS. Starting this summer with the release of Chrome 66, every website that is still being served unsecurely will be given a negative indicator and issued a warning. For all intents and purposes the unencrypted internet will be dead by 2019.
This move by Facebook helps to accelerate the change.
HSTS or HTTP Strict Transport Security, is an HTTP header that, once downloaded by an internet user, forces all connections with that site to be made securely, via HTTPS.
Typically, you’ll see a website add the HSTS header and then add itself to the HSTS preload list. That list, which is maintained by Google, instructs browsers to make a secure connection with a given URL on its very first attempt to connect. This, in turn, closes a small attack vector wherein an internet user’s system is vulnerable on its first connection, before it can download the header itself.
What Facebook is doing goes a step further. Obviously, one of Facebook’s biggest features is its ability to curate content for its users. I don’t have the statistics, but suffice it to say that every single second, there are countless users following links away from Facebook as they consume content. We’re talking millions of followed links. And now, thanks to Facebook’s HSTS decision, all of them are being enforced via HTTPS. Well, at least all of the links that correspond to a site with a valid SSL certificate, at least.
While it may seem simple, by forcing its users to predominantly follow HTTPS links, Facebook is helping to speed up the proliferation of HTTPS that much faster.
Granted, the links you’re following may have been created by a Russian bot intent on gaslighting you through the midterm elections, but at least your connection is secure.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown