Facebook: Apps Must Support SHA-2 Encryption by Oct. 1

By Wednesday, June 3, 2015 0 Permalink 0

Facebook followed up its test of improved encryption for notification emails with a mandate that developers move to a more secure standard for their applications.

As of Oct. 1, apps that do not support SHA-2 certificate signatures will be unable to connect to the social network, production engineer Adam Gross wrote in a post on the Facebook developer blog.

Gross explained the change as follows:

These changes are part of a broader shift in how browsers and websites encrypt traffic to protect the contents of online communications. Typically, Web browsers use a hash function to create a unique fingerprint for a chunk of data or a message. This fingerprint is then digitally signed to prove that a message has not been altered or tampered with when passing through the various servers and systems between your computer and Facebook’s servers.

For the past two decades, the SHA-1 standard has been the preferred choice across the Internet for calculating message fingerprints. But after identifying security weaknesses in SHA-1, the Certificate Authority and Browser Forum recently published new Baseline Requirements for SSL, recommending that all certificate authorities transition away from SHA-1 based signatures, with a full sunset date of Jan. 1, 2016.

We’ll be updating our servers to stop accepting SHA-1 based connections before this final date, on Oct. 1, 2015. After that date, we’ll require apps and sites that connect to Facebook to support the more secure SHA-2 connections.

Gross suggested that developers check their apps, software-development kits and devices that connect to Facebook in order to determine whether they support SHA-2, adding that more information is available here and here.

Developers: Are you ready?

Continue at source – 

Facebook: Apps Must Support SHA-2 Encryption by Oct. 1

No Comments Yet.

Leave a Reply

Your email address will not be published. Required fields are marked *