Facebook apps will break on October 1 if they don’t support SHA-2

Facebook has joined Microsoft's and Google’s efforts to phase out the use of SHA-1 to sign apps and websites.

From October 1 this year, apps that don’t support SHA-2 (or SHA-256) certificate signatures won’t be able to connect to Facebook, the company said on Tuesday, announcing it’s move to push third-party app developers toward a more secure cryptographic standard for signing apps.

“As part of our commitments to helping developers build secure apps and protecting the people who use Facebook, we’re updating our encryption requirements for Facebook-connected apps to reflect a new and more secure industry standard,” Facebook said today.

That deadline may force a lot of developers to move off the widely used SHA-1 hashing function, which has long shown signs of being weak and due to this has been deprecated by Microsoft, Google and organisations like the certificate authority (CA) and Browser Forum.

Microsoft in 2013 advised customers and certificate authorities its Root Certificate Program for Windows will reject SHA-1 SSL certificates on January 1, 2017 and should be replaced by SHA-2 certificates by that date.

Google is handling the phase out a little differently for Chrome, in September last year a more aggressive timeline based on a system of escalated warnings from Chrome 39 (released in November last year) to warn users that the HTTPS site is either “secure, but with minor errors”, “neutral, lacking security), or “affirmatively insecure” when they are signed with SHA-1.

At the time of Google’s policy update, some observed that the search company aimed to pressure website owners in to moving beyond SHA-1 by “threatening them with user confusion”.

Prior to this, the CA/Browser forum in 2011 deprecated SHA-1’s uses when it published the Baseline Requirements for SSL.

Facebook points out that the browser forum has now set a “full sunset date for January 1, 2016”, and is looking for developers of Facebook-connected apps to beat that deadline by a few months.

“We'll be updating our servers to stop accepting SHA-1 based connections before this final date, on October 1, 2015. After that date, we'll require apps and sites that connect to Facebook to support the more secure SHA-2 connections.”

“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard. If your app already supports this standard, then no action is necessary. But if your app relies on SHA-1 based certificate verification, then people may encounter broken experiences in your app if you fail to update it.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftGoogleFacebookSHA-2facebook appsHTTPScertificate authority (CA)CSO AustraliaSHA-2 certificatessecure cryptographic

More about CSOEnex TestLabFacebookGoogleMicrosoftTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts