The site confined your password during login using HTTPS, but left the rest of your session unencrypted. Fire sheep was free as a proof of concept that sniffing an unencrypted session after login was all an attacker desirable to hijack your account. This made Facebook’s new option welcome, but being opt-in meant it actually didn’t go far enough.
Facebook lastly did move to make safe browsing a default, at least for users in North America. Facebook announced that it is now using HTTPS by default for all users, so the rest of the world has lastly caught up. Because it involved a lot of moving parts, explains Facebook software engineer Scott Renfro.
Namely, it involved receiving third-party application developers to improve, getting web-browser cookies to be compliant, controlling referrer headers, and migrating users to HTTPS with no disorder “in-flight” sessions, i.e. improvement people while they’re really using the site.
Presentation has also been a vast challenge, Renfro says, given the additional hoops browsers have to leap through with HTTPS: In adding to the network round trip essential for your browser to converse to Facebook servers, https adds extra round trips for the handshake to set up the link. Full handshakes require two extra round trips, while a shortened handshake requires just one extra round trip. An abbreviated handshake can only follow a winning full handshake.
Here’s an example from Renfro of how that extra latency can make users with already-slow connections undergo yet more, and how Facebook has eased the pain: If you’re in Vancouver, where a round trip to Facebook’s Prineville, Oregon, data center takes 20ms, then the occupied handshake only adds about 40ms, which probably isn’t obvious. However, if you’re in Jakarta, where a round trip takes 300ms, a full handshake can add 600ms. When combine with an already slow connection, this additional latency on every request could be very noticeable and annoying. Thankfully, we’ve been able to avoid this extra latency in most cases by advance our infrastructure and using shortened handshakes.
Facebook’s work on safe browsing is most surely not done, mind you: the company says it’s still operational with mobile phone vendors to make it happen there.
For More Spam News : http://www.nigerianspam.com/