Ivan Ristic, director of engineering at security firm Qualys, a company that monitors the HTTPS implementations on the world's most popular websites through a project called SSL Pulse, believes that it was harder for Facebook to implement this feature given its ecosystem of millions of third-party apps and websites that integrate with its platform.
The task of implementing HTTPS across one's own infrastructure is manageable, Ristic said Tuesday. However, when you have to deal with third-party content providers things become more complicated and require more time, he said.
Having full-session HTTPS turned on by default will have an impact on latency, but mainly when a browser first connects to a website and negotiates the SSL connection, Ristic said. However, that impact is probably going to be unnoticeable, he said.
Ristic believes that the security benefits of HTTPS are much more important and are definitely worth the latency costs. He also hopes to see other websites implement always-on HTTPS by default as well, even those that don't deal with particularly valuable accounts from an attacker's perspective, such as Wikipedia.
Using SSL is the only way to ensure the integrity of your content, Ristic said, adding that some ISPs and wireless network providers are already in the habit of inserting ads and other content into websites that don't use HTTPS.
However, the SSL expert doesn't believe that Facebook's switch to HTTPS by default will necessarily determine other websites to implement the feature as well. It's the users who need to pressure website operators into securing their connections with HTTPS at all times, he said.
Ristic echoed the EFF's opinion that Facebook's move is a great step forward for SSL adoption. However, the next step for Facebook is to implement HTTP Strict Transport Security (HSTS), he said.
HSTS allows HTTPS-enabled websites to instruct browsers that any attempts to initiate a connection with them over HTTP should not be allowed. This feature was designed to prevent a type of attack known as SSL stripping that allows an attacker positioned between a website and a user to force a connection downgrade from HTTPS to HTTP.
Qualys' SSL Server Test rates Facebook's current HTTP implementation with grade A and a score of 87 out of 100 points.