Site Overlay

Resolve Facebook security warnings when a user enables https

Facebook has recently enabled a sitewide https secure login for its users. If you didn’t do so yet, you may want to enable secure login to your Facebook account. When a user who has https enabled and lands on your page or Facebook app, your page maybe generating security warnings about webpage content that was delivered.

The message is “Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage”

Facebook Security Warning message for Applications

The reason for these security warning messages:

  • Cross domain content being pulled together to raise SSL warnings
  • If an FB app does not have the Secure Canvas URL set, the error message will be shown
  • Content coming from FB, host of the third party app and from the host where the content is

Past

  • Use Facebook tabs using FBML (Facebook Markup Language), derived from HTML and using FB approvied JS and AJAX commands
  • Custom app inside standard FBML tab. External data requested by app. Tech limitations – proxied through FB, broke JS, tracking pixels etc

Now

  • Support for HTML Iframes (inline frames) as display tech for page tabs
  • Supporting this XFBML and JS dev kit – works in FB Iframes and independent web pages
  • Can use any JS library, Flash, Silverlight
  • Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash
  • Access Facebook over a secure connection using HTTPS – knee jerk reaction. The highest priority that needs encryption are the session credentials.

Security risks

  • A FB tab can include JS that performs browser redirection to a malicious website
  • If exposing apps as FB tabs using Iframes, need to watch out for any form submissions and other interactions that bypass proxies for example – FB blocking at work case
  • Whole thing started by FireSheep – hijack a user session and take over the account because the session data was being transmitted unecrypted and was sniffable over wifi
  • Rogue Apps – http://www.readwriteweb.com/archives/how_safe_are_facebook_applications.php

Recommendations

  • Do not want to run everything over SSL. Expensive from cost and performance perspective
  • Install an SSL cert on the webserver hosting the app files.  Get the SSL cert or the Progressive signed cert – valid for the domain
  • Do not use a self signed certificate
  • Remove http references to content.
  • Add https references when its known https code. Example: using the jquery from googleapis.com ajax library
  • Same for any FB connect code over http
  • Actually best way is to use protocol relative URL. Start it with // – ensure content is loaded from the same protocol as the parent page. That way when someone does visit your content via http:// the content you are embedding doesn’t unnecessarily get encrypted.
  • Populate the Secure Tab URL field or Secure Canvas URL field in the app
  • Don’t need SSL certs for every client, but if you get a valid SSL for your domain and host all the content on them, can host multiple client’s iframe(s) content
  • https://apps.facebook.com/contactajit/

 

Similar Posts:

Published By:

Author: Ajit Gaddam

Ajit Gaddam is an accomplished technology executive and is currently the Head of Security Engineering at Visa, where he is responsible for building large scale AI driven cybersecurity products, leading engineering programs, and providing expert guidance on cybersecurity matters. He has presented at conferences worldwide, including USENIX Enigma, RSA, Black Hat, Strata Data Hadoop, COSO Dublin, and GCS Ukraine. Ajit has been quoted by major media organizations and his work has been showcased in academic journals, security publications, and in two published books. He is an active participant in various open source and standards bodies, is a prolific inventor of disruptive technologies (over 100+ global patents), and moonlights as an instructor (SANS, community colleges).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll Up