Facebook apps will break on October 1 if they don’t support SHA-2

Facebook has joined Microsoft's and Google’s efforts to phase out the use of SHA-1 to sign apps and websites.

From October 1 this year, apps that don’t support SHA-2 (or SHA-256) certificate signatures won’t be able to connect to Facebook, the company said on Tuesday, announcing it’s move to push third-party app developers toward a more secure cryptographic standard for signing apps.

“As part of our commitments to helping developers build secure apps and protecting the people who use Facebook, we’re updating our encryption requirements for Facebook-connected apps to reflect a new and more secure industry standard,” Facebook said today.

That deadline may force a lot of developers to move off the widely used SHA-1 hashing function, which has long shown signs of being weak and due to this has been deprecated by Microsoft, Google and organisations like the certificate authority (CA) and Browser Forum.

Microsoft in 2013 advised customers and certificate authorities its Root Certificate Program for Windows will reject SHA-1 SSL certificates on January 1, 2017 and should be replaced by SHA-2 certificates by that date.

Google is handling the phase out a little differently for Chrome, in September last year a more aggressive timeline based on a system of escalated warnings from Chrome 39 (released in November last year) to warn users that the HTTPS site is either “secure, but with minor errors”, “neutral, lacking security), or “affirmatively insecure” when they are signed with SHA-1.

At the time of Google’s policy update, some observed that the search company aimed to pressure website owners in to moving beyond SHA-1 by “threatening them with user confusion”.

Prior to this, the CA/Browser forum in 2011 deprecated SHA-1’s uses when it published the Baseline Requirements for SSL.

Facebook points out that the browser forum has now set a “full sunset date for January 1, 2016”, and is looking for developers of Facebook-connected apps to beat that deadline by a few months.

“We'll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we'll require apps and sites that connect to Facebook to support the more secure SHA-2 connections.”

“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard. If your app already supports this standard, then no action is necessary. But if your app relies on SHA-1 based certificate verification, then people may encounter broken experiences in your app if you fail to update it.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags secure cryptographicfacebook appsGoogleMicrosoftHTTPSSHA-2certificate authority (CA)CSO AustraliaFacebookSHA-2 certificates

More about CSOEnex TestLabFacebookGoogleMicrosoftTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts