On October 1, 2011, Facebook fan (business) page owners will be required to have an SSL Certificate to fully secure their custom embedded content. This is usually the Welcome page. Here’s an overview explaining all the geek-speak with tips to help you square this issue away quickly and cheaply.
What is an SSL Certificate?
SSL is an acronym for Secure Socket Layers. The Certificate part of it means that the security of it has been verified by a trusted source. Any site that takes credit card payments and such has an SSL Certificate.
Why is Facebook Doing This?
There was a perfect storm earlier this year when Facebook put a deadline on anyone creating tabs on fan pages using their proprietary coding language called FBML. Shortly afterward a hacker found a way to hijack a Facebook user’s login info when they logged in on wi-fi. (Read Are Facebook Business Pages Too Complex for New Users?)
That caused everyone to switch to secure logins using https instead of http. At the same time, Facebook wanted folks to start using iFrames for tabs instead of FBML. Unfortunately, they didn’t work when folks used their secure login. So, everyone with an iFrames tab had to host the content on a secure server. (Read Where You Host Facebook iFrame Content Matters)
Now Facebook is requiring everything coming in and out of their space to be secure. That means the following will have to be on a secure site:
- Embedded content hosted on another site including anything using a tab
- Anything that requires folks to login using their Facebook profile
The real reason that Facebook is making you jump through all of these hoops is that it’s the only way to secure your Facebook page and account from getting hijacked. And it’s the only way to keep your Facebook account safe when you visit other pages, especially those running apps.
Two Types of SSL Certificates
The first type is a Shared Certificate (also called variable). It is available to folks who have a shared hosting account, also called shared IP. (This is the type of hosting most site owners have. Unless you specified a Dedicated Server account and paid an extra premium for it, you’re probably on shared hosting. Same is true if you got your hosting through a reseller such as your site designer.)
The second type is a Private SSL Certificate (also called static). This is one that you purchase for your primary domain on a Dedicated Hosting package. They will not work on a shared IP.
Where Do I Get an SSL Certificate?
The first place to check is with your current host. Shared Certificates are often free. If you have a Dedicated IP, you can purchase a certificate either through your host or through a third party. Most hosts recommend third parties that they like working with. (Yes, they probably get a kick back, but they make it easy to integrate.) Purchased SSL Certificates cost $10 – $80 a year for a basic one and up to $500 for a super deluxe one.
FYI, a Dedicated IP is about $2 – $3 bucks a month, or about $30/year more than what you’re paying now for hosting.
If you hired someone to build a custom Facebook Welcome page for you, or if you are using an app that has iFrames, check with them. I bet they’re looking right now for deals. Or, they may already be storing your iFrames tab content on a secure site that has an SSL.
What Else to Look For
Purchased SSL Certificates are domain specific meaning that you can only use them on your primary domain, not on sub-domains. This may affect you if you have a landing/sales page on a sub-domain that requires interaction with a Facebook page. (You can secure your sub-domains with a certificate that has what’s known as a wildcard.)
What Else You Can Do with an SSL Certificate
A Shared Certificate is fine for meeting the new Facebook requirements. However, if you’re going to purchase a certificate, you can do a little more with it. For instance, if you have a login form on your site, you can put a little note on it that states, “Secured by SoAndSo” or “Secure Login” or some such thing. If you use a third party payment processor, you can secure it with your certificate. (You only need this if you’re using a merchant account or such. You don’t need it if you’re using PayPal – they have their own.) If you need to endear the trust of those using your site, you can pay a little more for a well-known issuer that they will instantly recognize, like VeriSign.
Shopping for a Deal
Again, if you hired someone to customize your Facebook fan page or are using an app for your tabs, check with them first because you may not need to do anything. But, if you do need to buy a Certificate, be sure to check with your current hosting company first. It’s likely to be the best deal you’ll find. If you want to shop around a bit, here’s a handy little SSL Certificate Wizard that will let you try different combinations to match your needs.
Consider Changing Your Links
You may also want to change any links that go to your Facebook page so that they begin with the https prefix. This is not part of the SSL Certificate requirement, nor do you have to do it. However, since everyone uses a secure login for Facebook, you can update your links to match. Those include:
- Social media icons/links in your sidebar
- Links in social buttons plugin
- Links in your author box and/or profile
Plus, you’ll need to update all of the links not on your site including:
- Your email signature
- Profiles on other sites like LinkedIn
- Profiles on accounts you use to make blog comments
Folks to Follow
Here are the folks on Facebook I’m watching for more news and how-to posts on this topic:
Hugh Briss of Social Identities – one of the most helpful folks on Facebook
Static HTML: iFrames Tab – app developers for tabs
Mari Smith – the undisputed Queen of Facebook