14 DAY TRIAL // Facebook has asked all developers on its platform to obtain SSL certificates and make their apps compatible with HTTPS and OAuth 2.0 by October 1st.
The company presented its plans in a post on its developer blog, saying that it's in the best interest of everyone to implement the two technologies as soon as possible.
Facebook has had support for full-session HTTPS connections for a long time, but the feature only began being used by a considerable number of people since the site added the ability for users to make the setting persistent.
However, even with this option, the appeal for HTTPS remained fairly low, because most third-party apps, and even Facebook Chat, didn't support it.
Each time someone tried to use an app they were prompted to switch back to the unsecure HTTP connection. Even more, at first this change was permanent, the checkbox enabling automatic HTTPS being cleared from the user's profiles.
This has since changed and the switch is now temporary, however, Facebook's HTTPS implementation still fails to meet usability and security needs and it will stay like that until apps become available over encrypted connections too.
"[...] We have been working with Symantec to identity issues in our authentication flow to ensure that they are more secure. This has led us to conclude that migrating to OAuth & HTTPs now is in the best interest of our users and developers," wrote Facebook's Naitik Shah on the developer blog.
According to the timeline posted by the company, all developers need to migrate their apps to OAuth 2.0 and expect and encrypted access token by September 1. They also have to start processing signed_request (HTTPS) by October 1.
This means that developers will need to obtain an SSL certificate and fill in the "Secure Canvas URL" and "Secure Tab URL" fields in the Developer App with the corresponding information.