swintec
Premium
join:2003-12-19
Alfred, ME
 ·RapidVPS
·surpasshosting
 ·Sprint Mobile Broa..
 ·VoicePulse
 ·RoadRunner Cable
|  IFrame With HTTPS on HTTP Page?
Hi, Just a quick question. If I have a standard HTTP page and add an IFRAME that will display a secure page, is this a security issue or will it cause possible browser conflicts? Will browsers constantly give warnings about secure/nonsecure page content? Thank you.
--
Usenet Accounts |
|
johnnyboyct
join:2003-06-11
Newington, CT | I dont think you can, especially if its not your doamin. |
|
swintec
Premium
join:2003-12-19
Alfred, ME
·RapidVPS
·surpasshosting
·Sprint Mobile Broa..
·VoicePulse
·RoadRunner Cable
| said by johnnyboyct  :I dont think you can, especially if its not your doamin. It is my domain, both links (HTTP and HTTPS). I just didnt know if the HTTPS would cause issues because the surrounding page is HTTP.
--
Usenet Accounts |
|
Ken
Premium,MVM
join:2003-06-16
Brownsburg, IN | reply to swintec
In IE I think you will cause everyone to get the error message about both secured and unsecured content being displayed. |
|
FBM
join:2002-07-25
Chicago, IL
1 edit | reply to swintec
I think you will be ok. Here is an example:
»www.clevelandutilities.com/obppay.htm
The outlying page is http and the inner iframe is https.
Edit: I do see that IE found an error on that page, however i'm not sure if it is due to the iframe/https. |
|
swintec
Premium
join:2003-12-19
Alfred, ME
·RapidVPS
·surpasshosting
·Sprint Mobile Broa..
·VoicePulse
·RoadRunner Cable
| said by FBM :I think you will be ok. Here is an example: » www.clevelandutilities.com/obppay.htmThe outlying page is http and the inner iframe is https. Edit: I do see that IE found an error on that page, however i'm not sure if it is due to the iframe/https. Thanks. This is precisely what I wanted to do. I was just unsure if it was poor practice of sorts to do it this way.
--
Usenet Accounts |
|
FBM
join:2002-07-25
Chicago, IL | One thing to keep in mind with this approach is that your users won't see the https "lock" in the browser. |
|
twizlar
I dont think so.
Premium
join:2003-12-24
Brantford, ON
| reply to swintec
said by swintec :said by FBM :I think you will be ok. Here is an example: » www.clevelandutilities.com/obppay.htmThe outlying page is http and the inner iframe is https. Edit: I do see that IE found an error on that page, however i'm not sure if it is due to the iframe/https. Thanks. This is precisely what I wanted to do. I was just unsure if it was poor practice of sorts to do it this way. Generally anything involving frames is a poor practice 
--
Broadline Networks Inc. |
|
JAAulde
yum yum yum yum yum
Premium,MVM
join:2001-05-09
Hagerstown, MD
| reply to swintec
You can do what you're asking about, but you're degrading the amount of confidence a user should have in your site and the content within.
Lots of banks do this sort of thing for their front pages from which you can log into your account. There was a long discussion about it here: »Chase Bank = no encryption The first post to really discuss the real problem in that thread is by robo_mojo . A couple of others, including mine, say some of the same things.
The bottom line is that your outer page is not encrypted or signed, therefore the user cannot be sure that the page was not manipulated in route. So without viewing source or looking at it in memory with a tool like Firebug, as well as some other investigating, your user cannot be sure that the iframe is still pointing to where it should, etc. Or maybe a script was injected which manipulates the DOM in memory to play with what was your iframe.
SSL (HTTPS) has two purposes--encryption and non-repudiation. You're removing the second portion, causing doubt about both purposes.
--
No eat apple, eat cookie. Apple spoil dinner.
My Development Sandbox | Blessed Beyond Reason | LinkedIn Profile |
|
twizlar
I dont think so.
Premium
join:2003-12-24
Brantford, ON
| Agreed completely. While the SSL serves 2 purposes, the second is the most important to users I believe, if a user THINKS a site is safe, and has a visible way of believing it is, they are much more likely to use the site.
--
Broadline Networks Inc. |
|
