Facebook Removes Firewall from Applications

NewsCloud writes "Last week, Facebook quietly removed sign-in restrictions that previously hid third party applications from the public Web. In other words, Facebook now allows its third party applications to be viewable on the Web by anonymous visitors and indexable by search engines. Web developers can now build an application using Facebook's platform usable by anyone on the Internet — not just Facebook members (e.g. the Lending Library). In doing so, developers can leverage Facebook's login and registration as well its other platform services, which are becoming increasingly substantial. Facebook may be trying to gain advantage as a universal authentication gateway for public Web applications. If successful, it could further hamper efforts to establish OpenID. This will also help the company break out of its earlier AOL-like walled-garden strategy."

Re:hamper?

[mustpax]

Yeah both "AOL, Cordance, JanRain, Microsoft, NetMesh, Six Apart, Sxip, Sun Microsystems, Symantec, Verisign, Yahoo! [and] Google." http://radar.oreilly.com/archives/2007/12/openid_20_final.html Not to mention plugins already available for open source publishing tools such as WordPress.

Re:plaintext?

[pat+mcguire]

instead of http://facebook/ use https://facebook./ They don't advertise it, but there it is. It doesn't protect anything but your password, however. After sign in you're off of SSL.

Re:plaintext?

[deftcoder]

<form method="post" name="loginform" action="https://login.facebook.com/login.php" ...

You're POSTing to a secure page anyways... all that happens for me when I visit https://facebook.com/ is I get warned about an invalid SSL certificate and then redirected ("Location: http://facebook.com/" HTTP header) back to the non-https site.

Re:Security of applications

[5of0]

Does this strategy protect the Facebook users' data from being seen by non-Facebook users at the Facebook API level? By this, I mean that Joe Internet User cannot see my data on the Facebook application, and that Facebook is held liable for this, not the application developer? If this cannot be guaranteed, it looks like I might be removing most of my applications, no matter how useful they may be. I trust Facebook a whole lot more than I trust individual people.

Um, no. The other replies are woefully errant and FUD. From the announcement (login may be required?):

Of course, we're concerned about our users' privacy, and so the only user-specific data available on public canvas pages will be first name and profile picture (and then only if the user's profile picture is already publicly searchable). But you, the application developer, need not worry; FBML tags will automatically handle privacy rules for you.

So no. And no, I as a FB developer can't get to the data anyway. It works like this:

1. I write code to do my normal FB app, as if it's logged in.
2. Someone accesses my canvas page from outside of Facebook.
3. Any reference to personal data on the page is scrubbed out, except for a) first name and b) profile picture*

*Available only if the user hasn't disabled public searchability of themselves

As a dev, I can't get any extra data outside of the "garden" of being logged in (see ** below). It's entirely done on FB's side, I don't (and can't) change anything on my end to make private data more available to non-logged-in instances.
I'm pretty sure there is a lot more info out there for a lot of us that first name and a picture. And if you're interested in privacy, you've already got the picture disabled, because otherwise it could show up with a google search.
So I call FUD. For anyone who is remotely concerned with privacy, the data miners get...your first name. Whoop-de-do. And if you're not concerned? They get a picture. Definitely going to be able to steal your credit card info now! I can run your first name through my picture-to-last-name-database and find you!!!!
Sure, Facebook has made some missteps, but they've done a good job of responding when there is an upswell of legitimate protest.
This protest is illegitimate and misinformed, and this feature provides little to no privacy risk.

To summarize: The nasty hax0rs get your first name and, if you don't care about privacy, your picture. And no, there is no way that a dev can give you that information.**
**Okay, they could cache the information from logged in sessions in their db and then present it to you, but that would be a) against the TOS and b) stupid, since only cached data would be available, and if you *really* wanted it, you could just create a FB account. You can argue obscure ways that they could present the data, but in the end, there are a lot easier ways, and this provides no additional security breach.