Developer News
by Jim McCoy
October 2, 2015
Update on the Transition to SHA-2: Moving to a More Secure Standard for Signed Certificates

In June, we posted about updating our encryption requirements for apps that integrate with Facebook to reflect a new and more secure industry standard. This is part of our commitment to helping developers build secure apps and protecting the people who use Facebook. We communicated that we would stop accepting SHA-1 based connections and begin exclusively supporting the more secure SHA-2 connections on October 1, 2015, at which time apps that did not support SHA-2 would no longer be able to connect to Facebook.

Since our last post, we have heard feedback from developers that they need more time to migrate their apps to support the SHA-2 standard. We're still committed to transitioning fully to SHA-2 as soon as we can, but in order to prevent people who use apps that integrate with Facebook from encountering broken experiences, we will continue to support SHA-1 signed certificates for apps that still require them until December 31, 2015. After December 31, 2015 some popular browsers including Chrome and others are sunsetting SHA-1 and will begin rejecting otherwise valid certs that use SHA-1 hashes. The errors you might see as a result will be specific to the TLS/crypto library your SDK is using. As an example in the commonly-used OpenSSL library, when an older version that doesn't know how to decode SHA256 hashes see a certificate which uses this hash mechanism, the 'unknown message digest algorithm' error message will be returned.

In the meantime, developers whose apps do not already support the SHA-2 standard should ensure that they execute a clean transition to SHA256 support as soon as possible. Apps that fail to do so by December 31, 2015 may not be able to connect to Facebook, and people who use these apps will encounter broken experiences. To avoid this scenario and to ensure that user data remains secure, it's imperative that developers test any server-side software or apps that access Facebook services against our SHA256-only endpoint {www,graph,api}.sha256.facebook.com. This endpoint will not be available for testing after December 31, 2015.

See here for more information from the Certificate Authority and Browser Forum, and here for more tips on how to build a secure app integrated with Facebook.