There is a lot of noise around about the need to secure our Facebook Apps and Fanpages with SSL – effective 1 October, 2011… but what does it really mean?

Just what is SSL?

Let’s look at what SSL really is first – Secure Socket Layer (SSL) is a way of creating an encrytped connection between a web browser (like Internet Explorer, Firefox etc) and a website.  This ‘secure connection’ is facilitated by the use of a SSL certificate (which is a essentially a text file that is stored on the webserver) that creates a unique encryption key for every browser session started.

The most important thing about the use of SSL for browser connections, is that the certificate identifies the domain name and, in many cases, the organisational details of the website owner.  This level of identification should provide the website visitor with a level of comfort that they are communicating with the ‘real deal’.

When is SSL most used?

SSL is used mostly in ECommerce applications – particularly when a purchasers credit card or payment information has be entered and transmitted across the Internet. It can also be used for logon screens etc.

When SSL in enabled and used, a purchaser can enter their private information into their browser and the information is transmitted in an encrypted data stream back to the webserver for processing.

What does Facebook SSL mean?

Apps developed for facebook often require facebook users to authenticate back to facebook – i.e they need to ‘connect’ to their facebook account from a 3rd party site to enable some funcationality and to connect their accounts, they must enter their username and passwords.

In a facebook blog post, Keeping Users Safe, in May – facebook state:

As the web evolves, expectations around security change. For example, HTTPS — once a technology used primarily on banking and e-commerce sites — is now becoming the norm for any web app that stores user information. We feel that HTTPS is an essential option to protect the security of Facebook accounts, and since Apps on Facebook are an important part of the site, support for HTTPS in your app is critical to ensure user security.

All good and well – unfortunately, with the move to make all Facebook Fanpages iframes – these are now classed as apps… and subject to the requirement of needing a SSL page to display.

Facebook have mandated that all apps will require a https (or SSL) connection by October 1st.

What happens if your fanpage doesn’t have SSL before October 1st

If you use the Facebook Developer apps (www.Facebook.com/developer) to create your Fanpages, like I do, it is unclear what will happen.  Certainly, when editing existing the applications I’ve created I receive a stern warning that the application MUST inlcude a https link.  I am working on the assumption, that if my apps don’t include a https link, they will be disabled.

For those who use a Facebook app to enable their Welcome Pages – you need to consider two things…

  1. Has your application provider updated their application to meet the new SSL requirements for Facebook?
  2. If you ‘host’ your own page, even when using one the third party apps, do you have a https connection for your files?

Looking at the 2nd question above – if you don’t provide a https link for your fanpage, the results will depend on the settings of the end users browser.  In some cases, the user will receive a dialogue box warning them that parts of the page they are viewing are insecure, in other cases the page just won’t display at all.

If you have already turned on secure browsing within your Facebook Account, you will receive the following message:

But what does all this mean?

Simply, if you don’t provide https links for your applications they won’t work.

If you don’t provide a https link for your fanpage files, if you host them yourself – they won’t display. New visitors to your facebook fanpage won’t see your welcome images / messages and may be required to complete extra actions, just to interact with your business.  Not exactly the desirable outcome we are looking for!

How Do I ‘get’ SSL?

There are a couple of ways of doing this…

Use a 3rd party application

You can migrate the facebook pages to a 3rd party application that already looks after the SSL part of the transactions.  This will likely mean that your page will be hosted on someone else’s server – so exercise caution when choosing a provider and ensure they will be around for the long haul.

Implement SSL yourself…

You can implement SSL on your own webhosting.

Dedicated SSL Certificate

To be able to access your fanpage under your own domain name, like:

https://yourdomain.com/fanpage   (where yourdomain.com is your own domain name)

you will require a SSL certificate for your domain name.

Depending on the type of certificate you buy the price will typically range from $99 upwards.

The other requirement to implement a dedicated SSL certificate is a dedicated IP address – which means you will need to speak to your hosting provider to get one.

I’ve glossed over a lot of stuff here – but that’s the gist of it.

Shared SSL Certificate

Many hosting providers will provide a shared SSL Certificate.

The certificate will be registered to the host name your site is hosted.  On most CPanel hosting accounts, the link will be something like:

https://hostname.hostingprovidersdomain.com/~yourusername/pathtofiles

Shared SSL certificates are certainly available on Hostgator Hatchling and Baby Plans and Bluehost services.

This certificate is usuable immediately and does not require you to have a dedicated IP address.

The downside – you don’t use your domain name in the url.  For the purposes of setting up fanpages with SSL, I don’t see this as a big issue.

Do It Now!

You only have until October 1st to get your fanpages and facebook apps sorted out – so do it now, so you can iron out any of the little wrinkles that are likely to occur.

If you need assistance in fixing your fanpages to work with SSL, you can book a consultation with us.  Please use our contact form to make a booking.

About the Author acltechteam

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>