AES-GCM is quite nice. It's a "modern" construction that both runs AES in a stream cipher mode and integrates it tightly with a fast message authentication code. The "GCM" in "AES-GCM" mostly alludes to GHASH, the MAC function, which is a fast polynomial universal hashing MAC, in roughly the same family as Daniel Bernstein's Poly1305.
What's especially nice about AES-GCM is that the "mode" itself takes care of guaranteeing both message confidentiality and integrity. The TLS working group does not need to do much joinery and decisionmaking to make GCM work; the mode itself is standardized to provide those capabilities. The less you ask of the TLS working group, the more you put on the fundamental crypto, the better off you are.
(As it happens, the very little decisionmaking latitude the TLS WG actually had for AES-GCM resulted in a weakness! Though not an especially meaningful one.)
Facebook also has a good security team. Google has the advantage/beneficence of running an important browser project that is itself committed to moving the ball forward on TLS, which is an advantage Facebook lacks.
What's especially nice about AES-GCM is that the "mode" itself takes care of guaranteeing both message confidentiality and integrity. The TLS working group does not need to do much joinery and decisionmaking to make GCM work; the mode itself is standardized to provide those capabilities. The less you ask of the TLS working group, the more you put on the fundamental crypto, the better off you are.
(As it happens, the very little decisionmaking latitude the TLS WG actually had for AES-GCM resulted in a weakness! Though not an especially meaningful one.)
Facebook also has a good security team. Google has the advantage/beneficence of running an important browser project that is itself committed to moving the ball forward on TLS, which is an advantage Facebook lacks.