As of Saturday, October 1, Facebook requires ALL apps & page tabs to support HTTPS secure hosting, to “ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.”
Facebook has not stated the consequence of non-compliance but it’s possible that non-secure content won’t be displayed to Facebook users, whether or not those users are browsing under “Secure Browsing (HTTPS).” Facebooks says “You must provide an SSL certificate in the Dev App settings to avoid having your app disabled.”
So What Does It All Mean, How Does It Affect Me?
In plain English, it means that all apps, and fan pages (custom Facebook pages) where they’re running, need to be hosted securely.
How it’s going to affect you will depend on a number of things, including how your app is set up, but the most important thing is, you’ll have to have a valid SSL certificate (See the explanation of SSL Secure Socket Layer protocol from HyperArts’ Blog below) securing the domain/s where your content is being pulled from.
SSL is the “Secure Socket Layer” protocol which is responsible for creating secure communication between a user’s browser and the website they’re viewing. This is done by both server and client authentication and the negotiation of an encryption algorithm and cryptographic keys.
There are two types of SSL certificates — shared and private/dedicated.
Shared SSL Security Certificate
A shared SSL certificate will always be the most inexpensive option, as your site shares one SSL certficate with all the other sites on your shared server. This would NOT be a good solution for an e-commerce site, but for simply satisfying Facebook’s requirement that your page be hosted securely it’s fine.
Some hosts offer the shared certificate option and some do not. You’ll have to check.
Private / Dedicated SSL Security Certificate
A private SSL certificate is tied specifically to your domain (www.YourDomain.com), and requires that your domain has a unique IP address (Example 126.96.36.199) associated with the domain.
Private SSL certificates are more costly, but not prohibitively so.
So, if you/your developers / web designer/ web design company / web hosts are compliant, the https:// prefix (see image above) will be present and your app will continue working as expected.
We welcome the change, and understand the motivation behind the shift. Their aim is “be the social layer upon which the web is built,” without providing a secure platform, that is just impossible. There has been a lot of dissent and general unhappiness with this new move from Facebook, with developers and small design firms feeling the pressure to comply is a little too much, too soon. Facebook offers us a massive opportunity and affords us so many liberties as designers and developers, we often tend to forget that they’re a private company offering us a service, and if they decide to change the game (which they do quite often!) we should accept their decisions and adapt.
Want to know more?
Join us on Facebook here and post your comments and questions or let us know what you think.