Why did Facebook not use HSTS for a long time after it became available?

Edit: Facebook now use HSTS, so both question and answer are now incorrect.

Because using HTTPS for Facebook is optional.

If you look in "Account Settings" and "Security Settings" there is an option for "Secure browsing". It has defaulted to on since July 2013 but you still have the option to turn it off.

If they used HSTS then when you turned off "Secure browsing" the site would cease to work - at least, unless they did some fairly funky workaround.

I can't think of any practical reason to disable secure browsing. Certainly any such reason would be rare. I think the option is there more due to historical accident than active planning.


Summary: HSTS is coming, but the site has some hurdles related to protecting user information such as not telling a website who you are when you click on a link. Explanation of that particular issue: https://www.facebook.com/notes/facebook-engineering/protecting-privacy-with-referrers/392382738919

Firefox is the last major holdout. Here's comment 14 (March 15, 2012) from the bug that was filed in 2011: https://bugzilla.mozilla.org/show_bug.cgi?id=704320#c14

For WebKit users, Facebook plans to implement an "origin" policy in the near future. This policy effectively represents how our site behaves today, but without relying on the abuse of existing browser behavior. Background: https://www.facebook.com/notes/facebook-engineering/protecting-privacy-with-referrers/392382738919

The meta-referrer proposal provides two immediate benefits with respect to Facebook users:

  • We currently utilize document.location.replace() through an interstitial endpoint to perform external redirects for Mozilla users. Implementing a native redirect instead of relying upon JavaScript offers a slight performance improvement and enables the redirect to function with JavaScript disabled.

  • We intentionally downgrade the interstitial from HTTPS to HTTP in order to send a referer header. This is obviously undesirable but currently necessary in our context. Support for meta-referrer enables us to maintain an a secure connection and resolves one of the last issues blocking implementation of Strict-Transport-Security

Just throwing a bit of support behind the proposal. We'd love to see support in Firefox.

Followup comment 79 (January 30, 2014), same bug: https://bugzilla.mozilla.org/show_bug.cgi?id=704320#c79

Facebook has been asking for this since 2010, I'm not sure I understand the sudden rush.

Small update to comment #14, This is now the last remaining issue blocking Strict-Transport-Security on facebook.com for Firefox users (it's been enabled for Chrome/Safari users for some time). I wouldn't say that we're rushed, we're happy to wait for your preferred solution, but I would love to see HSTS enabled sooner rather than later.


Update May 2015: Facebook now uses HSTS. Good work.

$ http -h get https://www.facebook.com
Strict-Transport-Security: max-age=15552000; preload

See also https://www.ssllabs.com/ssltest/analyze.html?d=facebook.com

Tags:

Facebook

Hsts

Tls