Facebook iFrames and SSL Certificates Explained
On October 1, 2011, Facebook fan (business) page owners will be required to have an SSL Certificate to fully secure their custom embedded content. This is usually the Welcome page. Here’s an overview explaining all the geek-speak with tips to help you square this issue away quickly and cheaply.
What is an SSL Certificate?
SSL is an acronym for Secure Socket Layers. The Certificate part of it means that the security of it has been verified by a trusted source. Any site that takes credit card payments and such has an SSL Certificate.
Why is Facebook Doing This?
There was a perfect storm earlier this year when Facebook put a deadline on anyone creating tabs on fan pages using their proprietary coding language called FBML. Shortly afterward a hacker found a way to hijack a Facebook user’s login info when they logged in on wi-fi. (Read Are Facebook Business Pages Too Complex for New Users?)
That caused everyone to switch to secure logins using https instead of http. At the same time, Facebook wanted folks to start using iFrames for tabs instead of FBML. Unfortunately, they didn’t work when folks used their secure login. So, everyone with an iFrames tab had to host the content on a secure server. (Read Where You Host Facebook iFrame Content Matters)
Now Facebook is requiring everything coming in and out of their space to be secure. That means the following will have to be on a secure site:
- Embedded content hosted on another site including anything using a tab
- Anything that requires folks to login using their Facebook profile
The real reason that Facebook is making you jump through all of these hoops is that it’s the only way to secure your Facebook page and account from getting hijacked. And it’s the only way to keep your Facebook account safe when you visit other pages, especially those running apps.
Two Types of SSL Certificates
The first type is a Shared Certificate (also called variable). It is available to folks who have a shared hosting account, also called shared IP. (This is the type of hosting most site owners have. Unless you specified a Dedicated Server account and paid an extra premium for it, you’re probably on shared hosting. Same is true if you got your hosting through a reseller such as your site designer.)
The second type is a Private SSL Certificate (also called static). This is one that you purchase for your primary domain on a Dedicated Hosting package. They will not work on a shared IP.
Where Do I Get an SSL Certificate?
The first place to check is with your current host. Shared Certificates are often free. If you have a Dedicated IP, you can purchase a certificate either through your host or through a third party. Most hosts recommend third parties that they like working with. (Yes, they probably get a kick back, but they make it easy to integrate.) Purchased SSL Certificates cost $10 – $80 a year for a basic one and up to $500 for a super deluxe one.
FYI, a Dedicated IP is about $2 – $3 bucks a month, or about $30/year more than what you’re paying now for hosting.
If you hired someone to build a custom Facebook Welcome page for you, or if you are using an app that has iFrames, check with them. I bet they’re looking right now for deals. Or, they may already be storing your iFrames tab content on a secure site that has an SSL.
What Else to Look For
Purchased SSL Certificates are domain specific meaning that you can only use them on your primary domain, not on sub-domains. This may affect you if you have a landing/sales page on a sub-domain that requires interaction with a Facebook page. (You can secure your sub-domains with a certificate that has what’s known as a wildcard.)
What Else You Can Do with an SSL Certificate
A Shared Certificate is fine for meeting the new Facebook requirements. However, if you’re going to purchase a certificate, you can do a little more with it. For instance, if you have a login form on your site, you can put a little note on it that states, “Secured by SoAndSo” or “Secure Login” or some such thing. If you use a third party payment processor, you can secure it with your certificate. (You only need this if you’re using a merchant account or such. You don’t need it if you’re using PayPal – they have their own.) If you need to endear the trust of those using your site, you can pay a little more for a well-known issuer that they will instantly recognize, like VeriSign.
Shopping for a Deal
Again, if you hired someone to customize your Facebook fan page or are using an app for your tabs, check with them first because you may not need to do anything. But, if you do need to buy a Certificate, be sure to check with your current hosting company first. It’s likely to be the best deal you’ll find. If you want to shop around a bit, here’s a handy little SSL Certificate Wizard that will let you try different combinations to match your needs.
Consider Changing Your Links
You may also want to change any links that go to your Facebook page so that they begin with the https prefix. This is not part of the SSL Certificate requirement, nor do you have to do it. However, since everyone uses a secure login for Facebook, you can update your links to match. Those include:
- Social media icons/links in your sidebar
- Links in social buttons plugin
- Links in your author box and/or profile
Plus, you’ll need to update all of the links not on your site including:
- Your email signature
- Profiles on other sites like LinkedIn
- Profiles on accounts you use to make blog comments
Folks to Follow
Here are the folks on Facebook I’m watching for more news and how-to posts on this topic:
Hugh Briss of Social Identities – one of the most helpful folks on Facebook
Static HTML: iFrames Tab – app developers for tabs
Mari Smith – the undisputed Queen of Facebook
MaAnna is a geek who can still speak in plain English and mashes up her background in both the techie and artsy worlds to teach non-geeks, authors, artists, and other creative folks the ways of WordPress.
15 Responses to Facebook iFrames and SSL Certificates Explained
BlogAid News
What Every Site Owner Should Know is yours free with BlogAid News. This one book could save you hundreds of dollars and months of frustration.
Get blog posts your way
Chat with MaAnna Online
Free Report
This free report is a must-have
for every site owner.
Be sure you have the right
backup solution for your site.
Preferred Hosting
What a huge mess. So if I post links from my blog in a status, must they be https too?
If I have an entry to like someone’s fb page in a giveaway, must that link be https?
I have so many of your daily newletters of stuff I need to do that I feel like I am working for you! teehee!
My understanding is that all links to Facebook content ought to be https simply because most folks are using a secure login. But, keep in mind that this is a different issue than the SSL Certificate requirement. That is for off-site content which will be embedded on a Facebook page via an app, like for a Welcome page. I’m going to have to make an update to the post to make that distinction about the links thing. That was a bit of midnight oil non-clarity!
MaAnna,
Thank you for this information!
It’s always something with Facebook, eh?
My husband thinks they spin a wheel every day to decide what won’t work, or what craziness will be news.
~Keri
Keri, I’m agreeing with you and your hubby. I understand the reasons they have given, but isn’t it odd that LinkedIn and now Google+ don’t have all these security hoops to jump through, at least not yet.
Nicely done explanation, Ma, and thanks for the shout out at the end.
I would like to mention that it won’t be necessary to change links on your website, blog, email sigs, etc.. Once someone selects the option to use Facebook in secure mode any Facebook Page or profile they visit will load with an https suffix. To test this you can turn on security in your Facebook settings and then click the Facebook button in your sidebar and you’ll see that the Page loads fine and with the https URL.
Thanks Hugh. I’ll revise the post again. Maybe it was certain apps folks were using that made my login jump from secure to non-secure to use. As soon as everyone gets their content on a secure site, that problem will take care of itself.
Pingback: Tips Tuesday and Get Your Facebook Fan Page Squared Away
I’m pretty new and still don’t understand how to create apps for facebook or figure out this ssl thing. If I get a ssl cert through my godaddy account, will that solve whatever problems I’ll have?
Dave, the easiest way for you to proceed is to use a Facebook app from a developer that stores the files on their secure server. That way you don’t have to worry about creating an app or getting an SSL Certificate. The folks at Static HTML app are some of my faves.
Hi there… thanks for sharing the info, this was new to me so I checked my usual places for more info and I’m not finding anywhere in the Facebook Blog or the other FB authoritative resources I typically check, anything about this requirement. Can you provide me with some additional information as to where this info can be found and verified? THANKS much!
Theresa, here’s the link to the official Facebook Developer’s blog that has the timeline, including the Oct 1 deadline http://developers.facebook.com/blog/post/497/
And, if you Google “facebook ssl october 1″ you’ll find tons of links for more info and verification.
Hope that helps.
http://developers.facebook.com/roadmap/
Yep… found it. Here is another link that others might find helpful.
Hi MaAnna – it’s a great post for Pages owners but still daunting as Facebook changes so fast and makes everything so confusing. We just launched http://Pholiofy.com – the Facebook Pages Publishing Platform. Its built on WordPress and secured with an SSL certificate. Pages owners host and develop their content on the platform and use our app to publish it into Facebook. They don’t have to worry about Facebook changes (we’ll do that) and it’s https secure from the get go.
Thanks, Lisa. I’m definitely going to check this out.
Pingback: How to Build Facebook Pages - Jean Galea | Web Designer and Developer in Malta | WordPress Consultant