Skip to main content

Facebook follows Google with super-tough encryption technique most services don't use

Facebook follows Google with super-tough encryption technique most services don't use

Share this story

Facebook Security
Facebook Security

Demand for encryption apps has increased dramatically ever since the exposure of massive internet surveillance programs run by US and UK intelligence agencies. Now Facebook is reportedly moving to implement a strong, decades-old encryption technique that's been largely avoided by the online services that need it most.

Forward secrecy (sometimes called "perfect forward secrecy") is a way of encrypting internet traffic — in this case the connection between a website and your browser — so that it's harder for a third party to decrypt the pages being viewed, even if the server's key becomes compromised. It's been lauded by cryptography experts since its creation in the early 1990's, yet most "secure" online services like banks and webmail still don't use it. Speaking with a person familiar with the company's plans, CNET reports Facebook is currently working on implementing forward secrecy, and intends to roll out the feature to its users.

Forward secrecy is lauded by experts, but most online services don't use it

Normally, unencrypted web traffic (HTTP) can be viewed by anyone looking at it as it flies by, as NSA and GCHQ reportedly do while intercepting data from fiberoptic cables. A site supporting HTTPS connections (seen as a "lock" icon in your browser) blocks this eavesdropping by using a shared encryption key between your browser and a web server to protect data while it's in transit.

With regular HTTPS connections, those key exchanges are protected by a single "master" (private) key held by the server, which is fine unless the server's key is compromised; sites using forward secrecy exchange keys differently, so that a criminal or an intelligence agency sucking up internet traffic can't retroactively decrypt all of the site's communications if they get the server's private key.

In 2011, Google became one of the only major sites to implement forward secrecy, and was later joined by, as Michael Horowitz notes in his explanation in ComputerWorld. Other services still lag behind, likely due to the impact the enhanced "handshaking" process has on performance. CNET says that Facebook intends to make the switch "soon."

Update: Not to be outdone, Cryptocat creator Nadim Kobeissi has announced that the website and servers for his popular encrypted chat app are now implementing forward secrecy:

Update 2: Fixed language to clarify the difference in key exchange process between regular HTTPS/SSL and forward secrecy