Special offer
Home > Blogs > Mike Mueller > Mike Mueller, Social Media Student
bookmark_border

Poisoning The Well

By
Education & Training with Tech and Social Media Consultant

Poisoning the WellWhile the title may suggest something else, I’m not using this as a rhetorical device.  The general idea behind “Poisoning the Well” is that early on, something is introduced into the stream and it impacts everything downstream.  This post is about Custom Facebook Page Apps.   The key to this post is about

What We Don’t Know

And yes, it can hurt us!
We don’t know who the people are that are viewing our Facebook Page.
We don’t know what computer they are using.
We don’t know what browser they are using.
We don’t know what security settings they have their browser set to.
And even if we did, we wouldn’t want to exclude them.

I build custom apps for businesses pages on Facebook.
More and more I see incorrectly built applications that just don’t work.
When I say they don’t work, I’m not talking about their effectiveness.

Click to check out the gallery

I mean they flat out don’t load.  Nadda, Zippo, Zilch!
Worse yet, the viewer’s browser may provide a ominous popup scaring people away!

Here’s a screen shot from a site using my Mac and Firefox when I went to view a Custom Page App.

The same App in Chrome yields and even better response

Just how many people do you think will choose the “Ignore the Risks” option?
Not many, right?  Realistically, how about ZERO?

My browser showed me that warning when I tried to view an App in Facebook yet the App had absolutely no malicious content inside it.  The only thing that App did was break the chain of security.  That’s all.

Security is a chain

Like millions of others I choose to sign in to Facebook “securely”.  No big deal other than the little s at the end of http

That s means that for me, every thing I view inside of Facebook will rendered secure.  In simple terms, everything lives on a server somewhere.  Code can ‘call’ a picture, or text, or snippet of other code from a server.  The s part of https simply means that…

When you connect to a secure website, the server hosting that site presents your browser with something called a “certificate” to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).

…says the warning from Chrome.

Here’s how my own Secure Server looks.

Your Facebook Apps could have a problem

The content within them now is all iframed.  That means the content lives on servers not owned by Facebook, servers that may or may not be secure.  That’s not a big issue as long as all the content, let me repeat that again for emphasis…
ALL THE CONTENT is coming from a secure server somewhere.

Does your Page Apps load fine for you?  Are you sure?  To check, you'll need to be signed in securely (https).  Next you'll need to view your page in a variety of browsers.  Still loads fine?  Change the browser settings to the highest security, clear the cache for each and try again.  Is it broken?

Here’s How You Screwed Up

Did you get one of those free apps that allow you to put stuff in a box to create a Page Tab?
Is the App itself hosted on a secure server?  Did you check?  It better be or your Tab is broken.
I see a lot of these right now.

Know a little html?  Did you write anything that looks like <img src=”http:
Congrats!  You just broke your own app!  The same goes for <a href=”http:
and many other possibilities.  The same could be said for even a Paid App.   If just one single thing, one very small little thing comes from a non secure server – you’ve broken the chain.  You’ve broken your App.
No, you can’t just stick an s to the end of every http – nice try!

The Right Way to do it

There’s a right way to do it and it’s really simple too.  Just make sure everything is sourced from a secure server.  Everything.  If you do that, the Tab you’re building will be fine for both non secure and secure browsers (like me).

When Facebook announced that users would be able to sign in securely I saw what was needed and now every custom app I build resides on both a secure and non secure server so that no matter who views one of my Apps, no matter how they sign in, and no matter what browser they use – the App will work!

Comments(0)

Subscribe to Comments Comment
Submit
Back to Top

What's the reason you're reporting this blog entry?

Are you sure you want to report this blog entry as spam?