When you’re dealing with 1 billion people’s personal info, security is critical. But Facebook didn’t want to sacrifice speed. That’s why it spent the last two years making infrastructure improvements so that its transition of all its users to HTTPS which starts this week will “slow down connections only slightly.” People will be able to opt-out of HTTPS for maximum speed if that’s how they roll.
Facebook has long employed HTTPS (Hypertext Transfer Protocol Secure) to protect users when they submit their username and password to login. HTTPS prevents man-in-the-middle attacks and eavesdropping.
In January 2011, though, it started allowing people to opt in to have all their Facebook browsing encrypted in HTTPS. At the time it warned “Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS.”
Still, Facebook said that “We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.” Flash forward nearly two years to today, and its ready to fulfill that burning desire for security. A Facebook Developer Blog post from a few days ago announced “this week, we’re starting to roll out HTTPS for all North America users and will be soon rolling out to the rest of the world.”
I immediately wondered if that would make loading the news feed or peeping photos more sluggish. So I spoke with Facebook’s security policy manager Frederic Wolens to see what would happen to site speed, and here’s what he told me:
“It is far from a simple task to build out this capability for the more than a billion people that use the site and retain the stability & speed we expect, but we are making progress daily towards this end. This may slow down connections only slightly, but we have deployed significant performance enhancements to our load balancing infrastructure to mitigate most of the impact of moving to HTTPS, and will be continuing this work as we deploy this feature.”
So yes, there will be a slight slow down. Facebook’s HTTPS is going to be a lot faster than it could have been thanks to engineers who rolled up their sleeves, but we’ll be monitoring for complaints just to make sure this is the case. For reference, Google moved Gmail to HTTPS in January 2010.
People who aren’t too concerned with their security might not be too excited about getting switched to HTTPS. And if they insist their connection is secure and wants to browse Facebook as fast as possible, the company confirmed to me that they’ll have the option to opt out of HTTPS through their Account Security settings.
But protecting people who use the default settings is why this is an admirable decision by Facebook. It’s priority is security. It might not be as sexy as blazing speed, but a hacked user is an unhappy user. Lots of people access Facebook from public wi-fi and public computers. Persistent HTTPS makes sure they’re not getting snooped on.
Facebook could have kept HTTPS as opt in. Faster browsing leads to less frustration, longer session lengths, and more ad views. Unfortunately, the people who are the least security savvy and therefore most vulnerable are probably the least likely to voluntarily enable HTTPS.
Personal info-driven business models like Facebook’s are built on trust. It needs users to feel secure enough to keep donating their data, and that’s why this little green lock could turn into greenbacks over time.