AreWeConnected.com

Custom WordPress Websites that Rock!

Poisoning The Well

Facebook Pages ·

9/24/2018 UPDATE: Facebook is now SECURE as are most other Social Networks. Your website should be secure too.

While the title may suggest something else, I’m not using this as a rhetorical device.  The general idea behind “Poisoning the Well” is that early on, something is introduced into the stream and it impacts everything downstream.  This post is about Custom Facebook Page Apps.   The key to this post is about

What We Don’t Know

And yes, it can hurt us!
We don’t know who the people are that are viewing our Facebook Page.
We don’t know what computer they are using.
We don’t know what browser they are using.
We don’t know what security settings they have their browser set to.
And even if we did, we wouldn’t want to exclude them.

I build custom apps for businesses pages on Facebook.
More and more I see incorrectly built applications that just don’t work.
When I say they don’t work, I’m not talking about their effectiveness.

I mean they flat out don’t load.  Nadda, Zippo, Zilch!
Worse yet, the viewer’s browser may provide a ominous popup scaring people away!

Here’s a screen shot from a site using my Mac and Firefox when I went to view a Custom Page App.

The same App in Chrome yields and even better response

Just how many people do you think will choose the “Ignore the Risks” option?
Not many, right?  Realistically, how about ZERO?

My browser showed me that warning when I tried to view an App in Facebook yet the App had absolutely no malicious content inside it.  The only thing that App did was break the chain of security.  That’s all.

Security is a chain

Like millions of others I choose to sign in to Facebook “securely”.  No big deal other than the little s at the end of http

That s means that for me, every thing I view inside of Facebook will rendered secure.  In simple terms, everything lives on a server somewhere.  Code can ‘call’ a picture, or text, or snippet of other code from a server.  The s part of https simply means that…

When you connect to a secure website, the server hosting that site presents your browser with something called a “certificate” to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).

…says the warning from Chrome.

Here’s how my own Secure Server looks.

Your Facebook Apps could have a problem

The content within them now is all iframed.  That means the content lives on servers not owned by Facebook, servers that may or may not be secure.  That’s not a big issue as long as all the content, let me repeat that again for emphasis…
ALL THE CONTENT is coming from a secure server somewhere.

Here’s How You Screwed Up

Did you get one of those free apps that allow you to put stuff in a box to create a Page Tab?
Is the App itself hosted on a secure server?  Did you check?  It better be or your Tab is broken.
I see a lot of these right now.

Know a little html?  Did you write anything that looks like <img src=”http:
Congrats!  You just broke your own app!

You could also have a script for a form, a video embed code for YouTube or many other possibilities.  The same could be said for even a Paid App.   If just one single thing, one very small little thing comes from a non secure server – you’ve broken the chain.  You’ve broken your App.
No, you can’t just stick an s to the end of every http – nice try!

The Right Way to do it

There’s a right way to do it and it’s really simple too.  Just make sure everything is sourced from a secure server.  Everything.  If you do that, the Tab you’re building will be fine for both non secure and secure browsers (like me).

OR just HIRE ME

When Facebook announced that users would be able to sign in securely I saw what was needed and now every custom app I build resides on both a secure and non secure server so that no matter who views one of my Apps, no matter how they sign in, and no matter what browser they use – the App will work!

Mike Mueller
Connected?
Latest posts by Mike Mueller (see all)
New Comment Policy:
If you see something, say something!
(shamelessly borrowed from Homeland Security but really, let's bring commenting on posts back!)