dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
62789

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

IFrame With HTTPS on HTTP Page?

Hi, Just a quick question. If I have a standard HTTP page and add an IFRAME that will display a secure page, is this a security issue or will it cause possible browser conflicts? Will browsers constantly give warnings about secure/nonsecure page content? Thank you.

johnnyboyct
join:2003-06-11
New Britain, CT

johnnyboyct

Member

I dont think you can, especially if its not your doamin.

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by johnnyboyct:

I dont think you can, especially if its not your doamin.
It is my domain, both links (HTTP and HTTPS). I just didnt know if the HTTPS would cause issues because the surrounding page is HTTP.

Ken
MVM
join:2003-06-16
Markle, IN

Ken to swintec

MVM

to swintec
In IE I think you will cause everyone to get the error message about both secured and unsecured content being displayed.
FBM
join:2002-07-25
Chicago, IL

1 edit

FBM to swintec

Member

to swintec
I think you will be ok. Here is an example:

»www.clevelandutilities.c ··· ppay.htm

The outlying page is http and the inner iframe is https.

Edit: I do see that IE found an error on that page, however i'm not sure if it is due to the iframe/https.

swintec
Premium Member
join:2003-12-19
Alfred, ME

swintec

Premium Member

said by FBM:

I think you will be ok. Here is an example:

»www.clevelandutilities.c ··· ppay.htm

The outlying page is http and the inner iframe is https.

Edit: I do see that IE found an error on that page, however i'm not sure if it is due to the iframe/https.
Thanks. This is precisely what I wanted to do. I was just unsure if it was poor practice of sorts to do it this way.
FBM
join:2002-07-25
Chicago, IL

FBM

Member

One thing to keep in mind with this approach is that your users won't see the https "lock" in the browser.

twizlar
I dont think so.
Premium Member
join:2003-12-24
Brantford, ON

1 recommendation

twizlar to swintec

Premium Member

to swintec
said by swintec:
said by FBM:

I think you will be ok. Here is an example:

»www.clevelandutilities.c ··· ppay.htm

The outlying page is http and the inner iframe is https.

Edit: I do see that IE found an error on that page, however i'm not sure if it is due to the iframe/https.
Thanks. This is precisely what I wanted to do. I was just unsure if it was poor practice of sorts to do it this way.
Generally anything involving frames is a poor practice

JAAulde
Web Developer
MVM
join:2001-05-09
Frederick, MD
ARRIS SB6141
Ubiquiti EdgeRouter Lite
Ubiquiti UniFi AP

1 recommendation

JAAulde to swintec

MVM

to swintec
You can do what you're asking about, but you're degrading the amount of confidence a user should have in your site and the content within.

Lots of banks do this sort of thing for their front pages from which you can log into your account. There was a long discussion about it here: »Chase Bank = no encryption The first post to really discuss the real problem in that thread is by robo_mojo See Profile. A couple of others, including mine, say some of the same things.

The bottom line is that your outer page is not encrypted or signed, therefore the user cannot be sure that the page was not manipulated in route. So without viewing source or looking at it in memory with a tool like Firebug, as well as some other investigating, your user cannot be sure that the iframe is still pointing to where it should, etc. Or maybe a script was injected which manipulates the DOM in memory to play with what was your iframe.

SSL (HTTPS) has two purposes--encryption and non-repudiation. You're removing the second portion, causing doubt about both purposes.

twizlar
I dont think so.
Premium Member
join:2003-12-24
Brantford, ON

twizlar

Premium Member

Agreed completely. While the SSL serves 2 purposes, the second is the most important to users I believe, if a user THINKS a site is safe, and has a visible way of believing it is, they are much more likely to use the site.