0

I noticed this problem when I implemented the Facebook Like Button plugin on my website, and got this error in my browser console:

Facebook like button - SHA-1 error

Hmm, I'm assuming that Firefox is talking about the last request, which is to Facebook's API. But just to be sure...

Facebook's SSL certificate

Alright, I guess they just haven't gotten around to updating yet. But wait a minute, Facebook themselves are planning to block apps that use SHA-1 in about a month!

Hmm, maybe my browser is caching some old cert (is that even possible???) Well, let's see:

SHAAAAAAAAA checking website - Facebook.com

What the heck is going on here?

alexw
  • 1,289
  • 2
  • 9
  • 13

2 Answers2

7

From the first paragraph of the link you've provided:

As a result, apps that don't support SHA-2 certificate signatures will no longer be able to connect to Facebook starting on October 1, 2015.

I would read this differently to your interpretation. This is not a requirement to the apps to have certificates signed with SHA-2 but it is a requirement to support SHA-2 signatures. This is probably because facebook is moving to SHA-2. And if the certificate for facebook is signed by SHA-2 apps which don't support this algorithm will not be able to validate the certificate and will thus (hopefully) fail.

If you look at the certificate of facebook you will see that it expires at 15/10/15. This means that they will have a new certificate after that date and I guess this will be signed with SHA-2 which is the reason they require apps to update now.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    TL;DR - Facebook can't move to SHA-2 until all of the apps which depend on it support SHA-2 first. – alexw Aug 29 '15 at 16:00
  • @alexw It *can*, but if apps used by many people aren't ready, Facebook will have that many unhappy users. How many unhappy users is acceptable for (visibly) better security, versus how many unhappy users is a big problem, is a judgement call by them. – dave_thompson_085 Aug 30 '15 at 10:14
0

There are unfortunately still many large sites that still make use of an SHA-1 cert, and chrome / firefox don't complain because the cert expires before the end of this year. See this question about the same situation on Google.

That being said, don't concern yourself too much. I can see the same thing: enter image description here

I'm sure they'll upgrade it soon. (Not soon enough!)

Community
  • 1
Nic Barker
  • 1,170
  • 7
  • 11
  • My friend apparently got an "untrusted connection" warning from her browser when she accessed my site, and I can't figure out why (since I use a SHA-2, non-expired cert issued by Comodo). So the only alternative I can imagine is that it is because of the Facebook request to a SHA-1 site. – alexw Aug 29 '15 at 04:38