Keeping Up With Facebook Platform Changes
Potential Security Risks
(Page 2 of 2)
Note that "secure" in this context means encrypted--users operating in this mode are protecting the content of their status posts more or less the same way they might protect the transmission of their bank account passwords. They aren't necessarily any more protected against malware, scams, privacy-sucking applications, and other ills of the Internet. But I suspect the perception may be otherwise.
To give the people at Facebook credit, refusing to display unencrypted content within an encrypted page is one way they are trying to avoid some potential security risks of the IFrame integration model. Also, even if Facebook didn't prevent the IFrame from displaying, Internet Explorer users would get a warning about mixed secure and insecure content that would tend to scare them off (some other browsers are more laid back about this).
- Deepen Customer Satisfaction and Brand Affinity with Impactful Web Content and Microsites
- 2013 Social Media Analytics Best-Practices
- The Oracle Insurance Survey: Overcoming IT Hurdles to Success
- The Case for Outbound Content Management
- Strategy: Building and Maintaining Database Access Control Permissions
- InformationWeek 2013 IT Spending Priorities Survey
The problem is easily solved by registering and installing an SSL certificate for your server--a slight stumbling block for some small time operators, in terms of technical complexity and expense, but no biggie for a brand like Red Bull--and adding the https address for your content to the "Secure Tab URL" field in the Facebook app registration form. Facebook then serves the https version as the IFrame content to users browsing in that mode.
One catch: There was no such field on the form until about a month ago. Facebook introduced its secure browsing feature in late January and added IFrame page tab support on February 10. At the time, the potential overlap between these two changes was not widely noted. About mid-March, I started hearing from people who had followed my tutorial on creating an IFrame-style page tab and were having trouble accessing their own content because they had switched on the https browsing feature. At one point, Facebook's solution was not to display the unsecured tabs at all for https users, so it seemed to some like their tabs had simply disappeared.
Going back and looking at old screen shots, I can see that there was a way developers could have specified a secure URL on the old form. Previously, there was a way of specifying a secure "canvas URL" for your applications, and the form had you specify your tab url as a file or subdirectory below the one for the canvas. However, it wasn't clear why you would need to do so unless your app was handling particularly sensitive information.
Facebook advised developers of the need to secure an SSL certificate in a blog post on Friday, but as far as I can tell this is the first time they've highlighted the issue. According to the post, the number of Facebook users browsing with https is up to 9.6 million and counting. That's out of about 500 million active users, but in my experience it includes many of the most active among them--not people you want to snub or make jump through hoops to get to your content.
This is just another reminder of the hazards of building business applications on a platform owned by someone else, one that changes according to some else's schedule and plans. You really have to stay on your toes if you want to keep up. This may require working late hours and drinking more Red Bull.
InformationWeek is conducting a survey on IT automation and the data center. Respond to the survey and be eligible to win an iPod Touch. Take the survey now. Survey ends April 22.