Gross explained the change as follows:
These changes are part of a broader shift in how browsers and websites encrypt traffic to protect the contents of online communications. Typically, Web browsers use a hash function to create a unique fingerprint for a chunk of data or a message. This fingerprint is then digitally signed to prove that a message has not been altered or tampered with when passing through the various servers and systems between your computer and Facebook’s servers.
For the past two decades, the SHA-1 standard has been the preferred choice across the Internet for calculating message fingerprints. But after identifying security weaknesses in SHA-1, the Certificate Authority and Browser Forum recently published new Baseline Requirements for SSL, recommending that all certificate authorities transition away from SHA-1 based signatures, with a full sunset date of Jan. 1, 2016.
We’ll be updating our servers to stop accepting SHA-1 based connections before this final date, on Oct. 1, 2015. After that date, we’ll require apps and sites that connect to Facebook to support the more secure SHA-2 connections.
Gross suggested that developers check their apps, software-development kits and devices that connect to Facebook in order to determine whether they support SHA-2, adding that more information is available here and here.
Developers: Are you ready?