Facebook is encouraging users to set their Account Security settings so that they log in and browse Facebook using the https: protocol. Doing this give the user added protection from snooping third parties as all your traffic on Facebook will be securely encrypted. Setting your Account security settings is pretty easy. From the Account menu at the top right of the screen you select Account Settings. On the account settings page go to Account Security. You will see an image like this:

Facebook Account Security SettingsSelect “Browse Facebook on a secure connection (https:) whenever possible. Press the Save button, log out and then the next time you log back in, you will be using the platform securely.

It’s a good idea to use Facebook in the secure mode if you ever browse in public locations like libraries or coffee shops. If you web traffic is not encrypted then it can be intercepted by anyone within wireless range of you computer using some off the shelf web traffic tools.

Now the bad news about Account Security. The secure https: connections have a habit of breaking Facebook Apps that don’t have a valid SSL security certificate issued to them. A security certificate is the token, or pass, used by servers and web browsers to assure that the traffic is properly encrypted. If a web server hosting a Facebook App page doesn’t have an SSL certificate, then you will see the following message:

Facebook security warning messageTo see the content, you’ll need to turn off your Account Security and browse in uprotected mode. Pressing the Continue button turns off secure browsing and lets you view the content of the page or App.

If you are a web developer, read on to find out what you need to fix in your app.

Still with me? Great. First a little back story; Facebook apps originally developed in an extended version of html called FBML. Facebook is phasing out FBML and replacing it with iFrames. iFrames offer a lot more flexibility, but also through more complexity in the mix. Especially if all you want to do is make custom welcome screens and gates for new fans and followers of your page. Facebook’s iFrame Apps require you to host your content and html on an outside web server. This is fine for a regular http: connection, but when the user goes into https: mode the content will not display unless you have a valid SSL security certifcate.

In order for your app to display content over the https: protocol, you will need to get a security certificate for your server and domain. There are many different certificate providers out there such as Geotrust, Thwaite, and Verisign. The easiest way to get a certificate is to order it from the company that does your hosting. Then they will do the configuration of the certificate for you.

Once you get your certificate configured for your domain and server, you will need to add your secure web address to the Facebook App’s secure canvas URL (use the https: protocol). The Canvas URL will still have the insecure web address.

Facebook App setting canvas url

Save the settings for the http: and https: locations of your Apps and your page’s fans will now be able to view content regardless if they are in the regular browsing or  secure browsing modes. Getting the SSL certificate and implementing the changes to your App will ensure that your Facebook App users will have a positive browsing experience.