Facebook Pages changes;- SSL Certificate requirements that you need to know about

Notice: Undefined index: dd_float_option_initial_element in /home/ilocalse/public_html/wp-content/plugins/digg-digg/digg-digg.php on line 342

Notice: Undefined variable: dd_override_start_anchor_id in /home/ilocalse/public_html/wp-content/plugins/digg-digg/digg-digg.php on line 351

Notice: Undefined variable: dd_override_top_offset in /home/ilocalse/public_html/wp-content/plugins/digg-digg/digg-digg.php on line 352

Facebook recently announced a major change which will be implemented later this year;- A validΒ  SSL Certificate for Facebook Pages will be mandatory from 1st October 2011 if the Page has customization and is hosted outside of Facebook.

So what does this mean for the Facebook Page owner and the Facebook Page visitor?

Firstly, no doubt there will be a heap of prowling, noise making sharks ready to take your money just as there was when Facebook announced it was stepping away from FBML in favor of iFrames back in March 2011. Read on and don’t be duped by these prowling, noise makers!

What is a SSL Certificate?
SSL is the standard abbreviation for a Secure Socket Layers. In a nutshell SSL encrypt information as it is transferred across the internet. The issue of the SSL Certificate is proof that a domain is protected by a SSL.

Generally a SSL Certificate is valid for 1 year and can’t be refunded. If you do not want to renew your SSL Certificate usually you just let it expire. Some hosting companies allow customers to purchase a SSL Certificate which is valid for longer than one year, but they are never issued for less than a year. When you renew SSL, you must also reinstall a new certificate, so the purchase of a SSL Certificate valid for over one year can save time.

What’s the difference between Https and Http?

Https and Http The difference Explained
Https and Http The difference Explained in Brief!

The nitty gritty is:-

  • From October 1st 2011 your Facebook Page will have to be served through HTTPS as opposed to just HTTP and for security that’s a good thing!
  • You will have a valid SSL certificate on your hosting.
  • You will need to complete the “Secure Canvas URL” and “Secure Tab URL” fields in the Developer App with the corresponding information.
  • If you are using a 3rd party app for your Facebook Page customization the platform used to host your Page must have a valid SSL certificate.

This might sound tricky but it’s like most things;- easy when you know how, look out for video coming soon in our Client Resources area.

Back in February 2011 we heard…

Facebook Alert February 2011
Facebook Security Alert February 2011 Https and Http

What do Facebook Say?…

What Facebook Says About SSL ... in brief

How much does an SSL Certificate cost?

I’ve been chatting with Zane at HostGator about the cost which would be incurred in obtaining a private SSL certificate. Zane told me at HostGator the cost varies depending on the plan that you have the cheapest being around $50. However if you have a business plan you can get a SSL certificate for free. Other companies offer them from upward $1.99 a month and there are SSL for cloud hosting too

What does one SSL certificate cover?
1 SSL will cover one domain and any sub-directories which you install;- but it will not cover sub-domains, each sub-domain would also require its own SSL

Do not be alarmed by noisy scaremongering tales in social spaces;- If in doubt give us a call, we can help.

Sadie-Michaela Harris





64 Replies to “Facebook Pages changes;- SSL Certificate requirements that you need to know about”

  1. Forgive me if I’m being silly, but I don’t understand what you are saying here. It seems to say that it covers sub-domains and then it says that it doesn’t cover sub domains.

    “1 SSL will cover one domain and any sub-directories which you install;- but it will not cover sub-domains, each sub-domain would also require its own SSL”

    1. Cory, Hello

      A Sub Domain and a Sub Directory are different entities. A Sub Domain is actually a different Domain name thus has its own DNS.
      Whereas a Sub-directory is just an extension of the primary domain. Hope that helps πŸ™‚

      As mentioned Ò€œ1 SSL will cover one domain and any sub-directories which you install;- ….
      BUT it will not cover sub-domains, each sub-domain would also require its own SSLÒ€ πŸ™‚

  2. so am to assume this only applies if we have a hosted solution to a branded page? If the page is not altered in any way then no need for this, correct? but any kind of capture page or video etc where the frame is hosted somewhere else will require this security?

    1. Hello Dawn,

      That’s correct, if you are not having any customization to your Page which is hosted outside of Facebook then a SSL certificate is not required. Likewise people using 3rd party apps and platforms will not need a SSL certificate as it will be held be the app hosting company. I hope that helps πŸ™‚

  3. great article and valid information details too – can you tell me if the SSL certificate has to be held by the fanpage hosting app owner or if this also applies to the person who creates the page using an app?

    What I am trying to discern is – if I create a fanpage for a client and upload images to my own server which I then add into the html code I paste into a page app – do both myself and the page app owner need to have an SSL certificate or only the app owner as they are hosting the finalised page code etc?

    Also do you know what effect this will ahve on peoples optin forms? ie aweber does not provide https form creation – will this mean that the forms will stop being able to be displayed in facebook when SSl requirements come into force?

    Thank you
    better known as the How2girl

    1. Hello Carol,

      I’m delighted you found the article useful.

      To clarify it is the domain where the iFrame is actually hosted which must have the the SSL Certificate.

      In your case if you create customized Facebook tab using an iFrame for your clients using a 3rd party iFrame developers app like http://lujure.net or http://iframeengine.net formerly FanPageEngine your client’s Page will be hosted by Lujure or FPE and they must hold the valid SSL Certificate.

      If you host your client’s iFrame on your domain in a subdirectory you will need to hold a valid SSL certificate.
      1 SSL certificate will cover the domain plus including sub-directories. NB *It will not cover any Sub-domains*

      If your client hosts the iFrame on their own domain, or a sub directory of their domain, the client’s domain must hold a valid SSL Certificate.

      Hope that helps, feel free to pop back if you have any more questions, it’s a hot topic at the moment! πŸ™‚

      1. Ps… sorry … about the optin form from Aweber or similar… the code for that will be held within the iFrame you create so that will be no problem. Let me know if you have any more questions πŸ™‚

  4. Hi Sadie,

    Well I’m actually glad you’ve explained an issue which seldom gets addressed online.

    It seems there’s a scarcity of information on the vulnerability of cookies and the consequences for end-users. At least now I’m aware of what steps I can take.

    Thanks for explaining technical-related issues in easy to understand language.


  5. Really helpful information – I will admit I’m still a bit foggy about it all, but you’ve given me enough information to provide good direction. Now I’ll poke around a bit more to become comfortable with this issue. Bless Facebook, they do keep things lively, huh?

  6. Hi,

    Thank you for the insight to the SSL switch-over. Also as Carol inquired… I also am very curious as to how this will affect autoresponder forms.



    1. Hello Mark…

      Whoops! I’d forgotten to add that in my reply to Carol! Thanks for noticing. When your iFrame is created the code for the auto-responder optin form will sit within the iFrame and it will be hosted on a domain with a SSL Certificate so all will be well πŸ™‚

  7. Hello Sadie-Michaela,

    Thank you so much for this article. I can understand facebook wanting to protect themselves by insisting outside frames are hosted on secure servers. This is one more cost though to be added to what people spend for everything else, but I suppose it is one of those necessary investments if we want to use facebook for our businesses.

    I just think it’s getting a little cumbersome now with all the changes they have been introducing lately.

    Keep the Smiles,


  8. Hi Sadie
    Thanks for the detailed explanation. I have been thinking lately about how to create my Facebook fanpage and before I can figure that out, I have this to consider too. With all the changes going on, I’m not sure if I’ll ever get my fanpage up πŸ™‚

    1. Hello Lian,

      Thanks for dropping by, I know your website, if you like some help with your page when you start to build it just give me a shout … as you say it’s a fast paced environment πŸ™‚

  9. Well, this answers some questions! Thanks for laying it all out so clearly. I’ll have to bookmark this page and come back to it later, because my FB page is not a priority… that is to say, not that it isn’t important, but that there are several more pressing things I’m working on at the moment. But I’ll be back!

    Willena Flewelling

  10. Oh gosh, that’s certainly important stuff to know and I can imagine the smiling sharks being out in full force on this one…

    Thank you so much for the heads up… it gives plenty of time for people to prepare!

    It’s quite scary how easy it is to hack in to others computers so I certainly welcome the better security measures!

    All the best,

    Emma πŸ™‚

    1. Thanks for dropping by Emma, I was just looking at your blog post title… very apt for my I have just returned from 5 days on a farm …which has a few chickens! πŸ™‚

  11. Hi Sadie,

    I have been hearing about this for a little while now. My understanding is that there is a litle more to installing SSL regarding how you write your web pages.

    Even though I have created my own sites and everything else, if I start producing external Facebook pages, I am going to get some help!

    Thanks for the detailed advice.

  12. Brilliant article full of information. I appreciate when an intelligent person post information we all need to hear and use. I’ve taken the time to secure my Facebook page and am considering stepping into securing the pages of National Seizure Disorders Foundation website because I do provide the opportunity for charitable people to give any amount on their hearts. I’ll have my web guy definitely take a look at this article and help me with that decision.

    Thank you for helping all your readers –

    Terrific Tonya Heathco
    National Seizure Disorders Foundation

  13. Hi Sadie
    Very informative post. I wondered why I kept seeing boxes pop up on fb saying if you want to see this page you have to change settings. Fortunately my fanpages host is ahead of the game and already has ssl certificates covering his clients.

  14. Sadie, many thanks for the update and I always delighted to get your updates about Facebook and Social Media. I have been on many welcome Facebook pages that need this information to be up to date. All the best and I will be back to your blog. Rosemary

  15. This could be some very helpful information. I swear all this talk about security just makes my head swim. While I don’t use wi-fi hotspots very often, I’ll definitely be careful about where I’m going and what I’m doing on them in the future.

    Hopefully nobody will figure out how to make the lock icon appear on an unsecure network to fool us into thinking we’re protected.

    1. Dave, Wow …that’s a good point you make and I hadn’t even considered the implications of that! – Hopefully the secure lock is not something which can easily be replicated and fool the unsuspecting user! πŸ™‚

  16. Hey Sadie, great coverage of the technical side of this one. This is exactly what I warned about in my iFrames 101 training that is still available for sale though I did not go too far into the subject. Fortunately those using quality services like Fan Page Engine do not have to worry about this as those servers are already configured for SSL and their customers will not have this stress. However, those using one of the many WordPress plugins available to generate iframes on a WP site definitely have to look at this issue. For me this was one of the reasons that – at the time while the decision was not finalized – that I did not promote a particular wp plugin as I knew this task would be daunting for the average novice and thus an inappropriate sale. I am NOW looking at alternatives, and which plugins are worth the effort of this type of setup. I am glad though that many of my subscribers are with FPE so I do not have to worry about their iframe stability through this transition.

    1. Hello Kimberly,

      I’ve learned lots of super tips from your site, thank you for popping over here πŸ™‚

      Fan Page Engine now aka iFrame Engine is a wonderful tool, user friendly with great support. I bought a developer’s licence just after it was launched;- anyone using FPE, Lujure or similar 3rd party platforms / applications will not have to concern themselves with the SSL certificate as you mentioned.

      There are several WordPress based iFrame themes available now;- designed especially to be used on Facebook pages we’ve been playing with a few of them. In the coming months we’re sure to see more and more of these themes launched too with a greater array of capabilities and feature. Interesting times πŸ™‚

  17. Hello,
    I find this post very useful and informative. In fact, I shared it on my sites. I’m still a bit confused about the SSL and the things around it. But the hacking thing is very informative. It’s a great help to make us aware and protect our information online. Thank you very much for the information.

  18. I am all for a more secure FB experience. Obviously things change from time to time especially when there are the “sharks” out there just waiting. πŸ™‚

    1. Trudy, hello

      It’s great that we have the choice to make ourselves more secure on Facebook – I often wonder what proportion of the rapidly approaching 700 million active Facebook profiles are genuine. Today, June 2nd, SocialBakers are reporting 689 332 700 active users;- by genuine I mean not a double account, not an account held in a random fake or nick name or a business account running under a personal profile. I’m sure those numbers could be quite staggering truth be known! Whist not all are intent on criminal activity some certainly will be! πŸ™‚

  19. I’m probably also going to be one of the ones who are “foggy” on this issue. I don’t understand the technology language! As I understand this, (and in non-tech language πŸ™‚ all FB pages will be secure. If I am doing the FB page myself, I have to fill out two things (but don’t know where they are). If someone else does it for me, I will need to pay. In simple language, is that it?

    But there’s something else . . . I’ve changed my personal FB settings to be the https, but under that setting I can’t access everything, or perform certain actions. What’s with that? I’d like my site to be secure, but if I can’t use FB by being secure, isn’t that defeating the purpose of both?

  20. Great article, Sadie! Looks like I’d better take another look at my iframeengine developer package πŸ™‚

    I’m also wondering if an SSL certificate may go some of the way towards helping with the whole cookie legislation thing being put forth by the EU. I know their issues are mainly with data protection but at least if we can prove that any collection systems in the form of cookies that are on site are secure, people might not be so suspicious…

    1. Hello Jo,

      There will not be any issues with your developer version of iFrame Engine;- iFrame Engine will have that in place! Nice and easy.
      Regarding the SSL and the cookie legislation, yes I wonder;- be interesting to see how it pans out.
      The thing is people don’t have to jump through hoops to get an SSL so any old crook could have one in place too for some short term gain! πŸ™‚

    1. Hello Andy

      Thanks for popping by and for all your help;- I’m still playing with it! πŸ™‚

      Sounds like the SSL is cheaper with GoDaddy than HostGator, they charged 50 USD on domains which were not our registered business domain – ie that attached to our reseller’s account and there’s small monthly charge too. They installed the SSL;- didn’t seem to offer self install but I could have missed that;-

      Á bientôt πŸ™‚

  21. I am sorry but it is a FACEBOOK page no an BANC πŸ™ My application doesn’t need any information from facebook ( to or from ) it is just an iframe application inside a facebook and there is absolutely NOTHING to protect so why do I have to buy security for page that doesn’t need security ? i am sorry but this is just bshit …

    1. Hello Tom πŸ™‚

      Thanks for dropping by … I hear you;- with it being a free platform we have just the two choices conform or jump ship. πŸ™‚

      Love your brightly colored home page with all the word definitions…
      I’d would like to know more about what your doing over there at Mindworks πŸ˜‰

  22. Facebook seems to be losing it’s coolness factor that supposedly made it so great in the beginning. Simple, intuitive, easy to understand. All these numerous changes that keep coming out it appears daily you’d think has to irritate most people. If they keep up this erratic update and change behavior, surely some other social media site will takeover. It’s just crazy.

  23. “As mentioned Ò€œ1 SSL will cover one domain and any sub-directories which you install;- Ò€¦.
    BUT it will not cover sub-domains, each sub-domain would also require its own SSLÒ€

    So… if each sub-domain would require its own SSL… how can it also have its own dedicated IP? (which I thought is required to get the private SSL) ??

    Thanks for this article. I have gone around with HostGator on this and being a long time user, but novice techie I am still in the dark. I set up onedalas.com using the HostGator business with included IP and SSL and that works out to +/_$14 a month. And that price in the second year may go up, but the SSL comes along with the package. So I figure I am set for Facebook and ecommerce, come what may.

    But now that we are adding onevoicecan.com, I am befuddled. I believe I need a whole separate biz package with its own control panel to keep a clean separation between the sites. But I get confused if I try to think of piggybacking onevoicecan with onedalas. The idea of unlimited domains on one package sounds very frugal, but not if just a few months down the road, I have to rejigger everything. Am using WordPress/Genesis/child themes.

    Well, thank you all for listening. Just found this site tonight and am sure I will be scouring for more great info. have a great weekend, joe

    1. Hello Joe

      Check out this very helpful article from Peter Beattie http://imrevolver.com/fanpage-ssl/ too it gives an excellent walk through of how set up the SSL for Facebook. I was about to do one with 1st October looming but then I read Peter’s blog, he includes an additional step required if you are using WordPress for making your iFrame and he is happy for it to be shared. Hope it helps you Sadie

  24. Nice! I’ve been preaching this for a while. Glad to see another person doing it too. I think this is important. Especially since I enabled my SSL on facebook as soon as it was available — I noticed many custom pages were broken (yes even the large companies have issues with this.)

    So, I started a service that I plan to offer for free for a while to small businesses and non-profits to help with this “issue”. Basically, using wordpress I publish the custom facebook fanpage from a SSL capable server. All you need is an account and then it is just like writing a wordpress post to create the page.

    I went through the steps of setting up SSL on a few of my wordpress sites recently too. It isn’t too difficult.

    Let me know if you need some guidance either way – shoot me an email and I’ll give you all the help and advice that I can.

  25. Hi
    Thank you for such detailed and precise explanation. However, I wanted to ask if you whether I had to get a SSL certificate for merely having a fanpage or not. Do I need a SSL certificate if I am directing people from my fan page to my website? Or what if I put in a web form, even then?

    Thanks in advance for your feedback and have a nice day.

    1. Hello Lana,
      Just to have a Facebook Page and SSL is not required.
      If you want to customized your Page in anyway, such as adding an optin form your Page as you mentioned , the Page will need to be hosted in a location which has a valid SSL certificate.
      If you chose a platform such as IFE or Lujure to build your Page they have it in place. I
      If you make your own iFrame you will need to host your Page in a location with an SSL.
      Hope that helps πŸ™‚

  26. Thanks for making this clear information available for
    novice. Also it is important that we have enough time
    to correct any problems with interruption of service.

  27. I think that this change while good for the trust and development of legit apps is useful; it is going to cause havoc for those who write apps for fun not profit!

  28. Hi Sadie:

    You absolutely are savvy when it comes to these issues. I have been hearing about the Facebook SSL requirement buzz for a few months and since I use fan page engine for my page, I decided to wait and ride it through. See what happens comes October. Now with your explanation of SSL and http:// https:// I must say I now have a clear understanding of what differentiate the two. I kind of knew https: means more secure but did not think in terms of payment etc.. thanks for sharing. Your site is loaded with great information.

  29. Hello Sadie, I managed to get a special on GoDaddy the other day for only $13 for the year, don’t know if it’s still available.

    There seems to be a little confusion – the SSL certificate isn’t for the facebook page, it’s for the website, where the Facebook page iFrame tab is hosted.

    facebook page walls are fine with or without the https And, if your Facebook page Tab is hosted on a secure site it’s okay also. Easy to prove this, by enabling your secure browsing security on your Facebook profile. Then, go to a Facebook page wall, and you’ll see it’s okay.

    Just the terminology that’s confused that’s all.

    Regards from Julieanne

  30. You forgot to mention that it is possible to install free SSL certificates on the webserver or use shared SSL certificates (if in a shared hosting environment):

  31. Today 10-24-11 On my laptop only I am having trouble with Certificate information on Facebook… it brings up an alert with a crosses out of the https symbol before facebook.com and won’t let me connect unless I say “go ahead anyway” to the not suggested site. So I didn’t… can you advise if .ak.fbccdn.net issued by akamai subordinate ca3 is a valid address looks very suspect to me

    thank you

    1. Hello Chris
      It is certainly normal to be asked to accept to a non secure page these days if you are going to a page on Facebook which has been customised and is not hosted in a location which has an SSL. If you want to take a screen shot and email it to us I’m be happy to take a look for you πŸ™‚

Leave a Reply

Your email address will not be published. Required fields are marked *