The SHA-2 certificate signatures will replace those signed with SHA-1 and apps that use SHA-1 after October won't work on Facebook anymore, Adam Gross, a production engineer at the company, stated a blog post.

"We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard," Gross wrote.

Facebook is getting up to speed with Microsoft, Google and Mozilla on mandating SHA-2 hash signatures. Image: iStock/Danil Melekhin

SHA-1 has been considered weak for about a decade. Researchers have shown it is possible to create a forged digital certificate that carries the same SHA-1 hash as legitimate one.

The type of attack, called a hash collision, could trick a computer into thinking it is interacting with a legitimate digital certificate when it actually is a spoofed one with the same SHA-1 hash. Using such a certificate could allow an attacker to spy on the connection between a user and an application or website.

Microsoft, Google, Mozilla and other organizations have also moved away from SHA-1 and said they will warn users of websites that are using a connection that should not be trusted.

The Certificate and Browser Forum, which developers best practices for web security, has recommended in its Baseline Requirements that digital certificate issuers stop using SHA-1 as of Jan. 1.

Find your next job with techworld jobs