Facebook has recently enabled a sitewide https secure login for its users. If you didn’t do so yet, you may want to enable secure login to your Facebook account. When a user who has https enabled and lands on your page or Facebook app, your page maybe generating security warnings about webpage content that was delivered.
The message is “Do you want to view only the webpage content that was delivered securely?
This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage”
The reason for these security warning messages:
- Cross domain content being pulled together to raise SSL warnings
- If an FB app does not have the Secure Canvas URL set, the error message will be shown
- Content coming from FB, host of the third party app and from the host where the content is
Past
- Use Facebook tabs using FBML (Facebook Markup Language), derived from HTML and using FB approvied JS and AJAX commands
- Custom app inside standard FBML tab. External data requested by app. Tech limitations – proxied through FB, broke JS, tracking pixels etc
Now
- Support for HTML Iframes (inline frames) as display tech for page tabs
- Supporting this XFBML and JS dev kit – works in FB Iframes and independent web pages
- Can use any JS library, Flash, Silverlight
- Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash
- Access Facebook over a secure connection using HTTPS – knee jerk reaction. The highest priority that needs encryption are the session credentials.
Security risks
- A FB tab can include JS that performs browser redirection to a malicious website
- If exposing apps as FB tabs using Iframes, need to watch out for any form submissions and other interactions that bypass proxies for example – FB blocking at work case
- Whole thing started by FireSheep – hijack a user session and take over the account because the session data was being transmitted unecrypted and was sniffable over wifi
- Rogue Apps – http://www.readwriteweb.com/archives/how_safe_are_facebook_applications.php
Recommendations
- Do not want to run everything over SSL. Expensive from cost and performance perspective
- Install an SSL cert on the webserver hosting the app files. Get the SSL cert or the Progressive signed cert – valid for the domain
- Do not use a self signed certificate
- Remove http references to content.
- Add https references when its known https code. Example: using the jquery from googleapis.com ajax library
- Same for any FB connect code over http
- Actually best way is to use protocol relative URL. Start it with // – ensure content is loaded from the same protocol as the parent page. That way when someone does visit your content via http:// the content you are embedding doesn’t unnecessarily get encrypted.
- Populate the Secure Tab URL field or Secure Canvas URL field in the app
- Don’t need SSL certs for every client, but if you get a valid SSL for your domain and host all the content on them, can host multiple client’s iframe(s) content
- https://apps.facebook.com/contactajit/