Facebook has announced that they will be using a feature called HSTS (Hypertext Transfer Protocol, Strict Transfer Security) to ensure the safety of their social media platforms instagram.com as well as facebook.com. With this move, Facebook say that users posting an un-encrypted HTTP link will be automatically redirected to the encrypted link thanks to HSTS preloading.
Facebook say that most websites supporting HTTPS have not deployed HSTS as yet and without HSTS, users can land up on the non-encrypted version of the site even if an HTTPS version exists. In order to overcome this barrier, Facebook said that integrating HSTS was essential.
Explaining this, Jon Millican, Software Engineer at Facebook, commented:
We continue to encourage people to check the URL in the address bar to see if the link is supported by HTTPS. But we understand that many people still use browsers that don’t support HSTS, and so we’re working to ensure that their first connection to supported websites is secure.
Facebook predict that them turning to HSTS will spurt its rate of adoption among their users. They also say that with the HSTS preload list, building a secure web for their users will be much easier.
Echoing this point, Scott Helme, Security Researcher at Security Headers commented:
The HSTS preload list is open so anyone can grab a copy of the list and start using it in great ways to improve security across the web.
If you host or link to content like Facebook does, handle traffic or any one of countless other scenarios, you could quickly start experimenting with the HSTS preload list to see how you can use it to help build a more secure web for everyone.
Let us hope that like many other trends set on social media, Facebook also sets the trend for security with HSTS.