Facebook Developers Face Deadlines On Security
Facebook tightens security and authorization requirements for app integration. Some voluntary changes will soon become mandatory.
Developers who sign into Facebook to create or update an application are now getting a warning that time is running out for them to register a secure server associated with their application.
As announced Friday, Facebook has completed the transition to the new version of the Developer App utility used to register applications for use within Facebook. Aside from making a few more navigational user interface changes, the new version now warns developers that as of October 1 they must provide a secure Web address as the source for their applications, including content to be displayed on a Facebook page tab. The deadline had been previously announced in May, at around the same time Symantec exposed a series of security flaws in the Facebook platform. The platform roadmap also includes a September 1 deadline for applications to transition to the OAuth 2.0 standard for better authentication with Facebook.
(click image for larger view)
Facebook significantly simplified options for creating custom page tabs in February, when it introduced support for HTML iFrames as an integration method, even though it was criticized in some quarters as too simplistic. This meant that instead of coding applications in a proprietary language, FBML, and a Facebook-approved subset of JavaScript functions, developers could embed almost any Web application functionality within an embedded frame, or iFrame. But the Facebook platform is a moving target, and this change soon collided with Facebook's transition to using connections encrypted with https, the same version of the Web protocol used to protect online credit card transactions.
By moving to encrypted connections, Facebook hopes to prevent a class of user account hacks based on intercepting the Web cookie files used to identify users after they have logged in. Browsing Facebook in this secure mode is a user configuration option today, but Facebook is talking about making it the standard.
The issue for apps is that if the base Facebook page is being viewed over an https connection, the embedded content also needs to be available in the same mode for the sake of security and consistency. For the past several months, the Facebook app infrastructure has been in a transitional phase where developers were encouraged to register a secure Web address for their apps but not required to do so. Users browsing the website in https mode would be given the option of switching to an unencrypted connection to view an app or tab for which no secure content was available.
Making https connections mandatory is a natural next step, although it may be a stumbling block for some smalltime players who started creating custom Facebook tab content when it was easier. Although obtaining the security certificate required for an https connection is relatively inexpensive, it does require that the domain be associated with a dedicated IP address--a hurdle for small business websites that share a server with other domains.
See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.
