News Programming

Facebook Apps Still Not Serving SSL

Almost two months ago, Facebook added a setting for browsing with an SSL connection. So far, most app developers have not yet caught up.

It’s simple. Go to Account->Account Settings->Account Security->Secure Browsing and click a checkbox.


Option for using https "whenever possible"


After saving, your Facebook experience will all flow over SSL, every byte encrypted with a 128-bit key. But fire up your favorite game, and you will probably see a request to turn this setting off.

Dialog displayed by apps that don't support SSL

If you click the continue button, you might expect that you’d be temporarily allowing an unencrypted connection. Instead, your setting is turned off. When you’re done with CityVille, you will have to switch it back on again. I’m sure Facebook will improve this user experience over time.

When Facebook rolled out this feature, they added a new setting for app developers that asks for the URL to the secure version of their app. It starts out blank, and when it is blank, the dialog above shows up. Naturally, I wanted to get things right, so I began experimenting. Unfortunately, once you have a valid value, you can’t return to having it be blank. Now I was forced to solve this somehow.

Time for a short diversion into how HTTPS works.

You know how you can have one server hosting multiple domains, each with their own site content? It’s called virtual hosting, and it’s a standard feature of Apache. The way it works in the HTTP protocol is that when your browser connects to the server, it uses the IP address (e.g. and in addition to asking for the document to view (e.g. GET /index.html) it also specifies the domain name (e.g. Apache’s configuration knows where the files on the server are for that domain, and away we go.

In the case of a secure connection, your browser and Apache must exchange keys to be used for encrypting data. Your browser will also ask for proof of identity from the server. The proof is in a small file called a certificate. It’s only good for one IP address and one domain. You can make multiple certificates work if you have multiple IPs. A certificate signed by an authority is a few hundred dollars, but IPs are scarce. It’s a gigantic pain in the neck for a small developer.

If you have multiple apps running on Facebook, you could reorganize them on the server to use subdirectories instead of subdomains. For both canvas apps and iframe apps, the user is hardly exposed to your backend URLs anyway. In the short term, I’ve made a single page that says the following.

We’re sorry! This app does not function when requested via ssl. To access this app, please change your facebook settings under Account->Account Settings->Account Security->Secure Browsing.

Then I pointed all of my SSL URLs at it. Note that I this page is served up using a self-signed certificate. It’s interested that Facebook doesn’t care to enforce the identity check but they do care that the data is send via SSL end to end. That’s reasonable.

Instead of reorganizing all of my files on the backend, I plan to rebuild my apps so that they work outside of the Facebook canvas, using the Facebook Connect feature instead. Facebook seems to be doing what they can to push everyone off of the canvas, anyway.

It’s also interesting that most of the games I’ve tried still show the request to switch off SSL. The popular Zynga games do. I found that Golden Nugget Vegas Casino, run by one of my clients (AltEgo), does serve up with SSL. Smart.

Recently, Twitter added a similar feature to always use HTTPS, but I wouldn’t expect any issues like we have with Facebook because Twitter never got into the business of piping content from apps through their own servers.

Enhanced by Zemanta

3 replies on “Facebook Apps Still Not Serving SSL”

Mike, I just tried to use a self-signed cert for a custom tab, however, it seems it’s not working. Planning to purchase one now, and hope it does.

For canvas apps, it was my experience that a self-signed cert worked. That was a couple of months ago, so YMMV. For iframe apps, you will have to get one signed by an authority.

Hey Leon, sharing your pain man! What I can’t seem to find documented any place is what certificate authorities facebook is willing to accept? In other words, can I just go and create a self-signed cert for myself using openssl, or do I have to buy one from verisign or the like. You got any ideas?

Thanks man,

Comments are closed.