Solved

Is it safe to embed a secure web page within an iFrame?

Posted on 2008-06-10
17
560 Views
Last Modified: 2010-04-21
Hello,

I'm hosting a secure form (https://www.mywebsite.com/myform.php) on a different server and I want to display it with an iFrame on a non-secure site:

<iframe name="i_frame" width="690" height="450" scrolling="no" src="https://www.mywebsite.com/myform.php"></iframe>

Is it safe to do so? Will the non-secure site over-ride the secure site?

Thanks
0
Comment
Question by:wattanabi2
  • 8
  • 5
  • 4
17 Comments
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
its not secure you will have both secure and non-secure items on your page.  
0
 
LVL 14

Accepted Solution

by:
_Stilgar_ earned 500 total points
Comment Utility
It is perfectly fine to do so as long you're keeping simple guidelines, although not recommended since web-browsers tend to warn users of such situations.

As long as the iframe is being loaded from an https:// location, and info is being submitted to an https:// location thats fine, since data will travel securely (form can be even loaded from http://, as long as the data you need to encrypt only travels on https://). This situation IS secure, but most likely your site users will not be able to see it is, since it is in an iframe.

Stilgar.
0
 

Author Closing Comment

by:wattanabi2
Comment Utility
Hi Stilgar,

Thats what I thought. Is there a more technical way to explain this? Mainly how the embedded iFrame is technically behind a non-secure site, yet the actual transaction is secure.

thanks
0
 
LVL 14

Expert Comment

by:_Stilgar_
Comment Utility
Sure. In my post the technical explanation lies - as long as data is being transmitted on a secure channel, this is fine. When your iframe posts to an https:// location, it uses SSL sockets, which create a secured channel.

Stilgar.
0
 

Author Comment

by:wattanabi2
Comment Utility
Perfect. Thanks Again!

=======
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
allowing mixed content is a security risk. Everything should host through HTTPS!
0
 
LVL 14

Expert Comment

by:_Stilgar_
Comment Utility
Ideally, yes, but what is going through a secured tunnel is secured - a web browser is loading data asynchronously, so what is secured is left secured, and what is not is not. Can you explain what risk there is to the secured data?

Stilgar.
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content. this can be done in script very easy on the non-secured page a script could send screen grabs back asynchronously if it wish to. i write payment gateways if you want your data to be truly secure you should not do this.  
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 14

Expert Comment

by:_Stilgar_
Comment Utility
Yes, but as long as you're the author of the two I don't see any reason for not doing that if you must to for some reason (minus the fact web-browser will probably nag you about it, or will not care tell you the iframe is secured). This is the case btw with many ads in secured sites throughout the web.

Stilgar.
0
 

Author Comment

by:wattanabi2
Comment Utility
Maybe this will clear things up. I found a site that is currently doing this:

http://www.jeffcopublicschools.org/misc/employee_connections.html

Note the embedded iFrame:

<iframe vspace="0" hspace="0"  id="i_frame" name="i_frame" allowtransparency="true" frameborder=0 width="690" height="450" scrolling="no" marginwidth=0 marginheight=0 src="https://slb.jeffco.k12.co.us:472/websurvey/Login.cfm" align="left" title="Music Calendar"></iframe>
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
the question was is it secure, and from a customers point of view it is NOT. if he/she is developing a commercial site i dont think the customers are just going to take the website owners word they are not going to be spying on them. payment system are secured so that not even the domain owner gets to see personal information entered this would defeat the point.

the other point is, its not just the author that could create such a script. if this is how data is being secured it would lead me to believe the site owner could have other server weaknesses that would allow me to upload such a script such as cross site scripting, holes in IIS etc. if a weaknesses could be found a script could find its way to the server very easy.

the last factor is that many customers concerned with security disable pages that show both secure and non-secure content. any browser like IE and FF have this option and many use it
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
just because you found one site that doing it just not mean its correct, i can given you examples of millions that are not. ok its only a password screen but if this was payment details they would have major problems. just read the post above.
0
 

Author Comment

by:wattanabi2
Comment Utility
I'm not saying that this is "correct". I'm only showing an example of a site that is currently doing what I want to accomplish just so that everyone is on the same page.
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
if that all you are doing i dont see anyone going to big lengths to hack this. but you put people off and some like myself will not see the page because i dont display mix items.

you asked:

is it safe and secure - answer: its not.

Will the non-secure site over-ride the secure site: answer: yes, users on ie MAY get a popup telling them they are both secure and none secure..


i dont think you should have accepted the answer of _Stilgar_ as it not correct and bad advice
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
sorry if i sound a little abrasive its late here (must go to bed). just want to make sure you get the correct facts to your question.
0
 
LVL 14

Expert Comment

by:_Stilgar_
Comment Utility
@pigmentarts - even if the whole site is secured, and the webmaster is hosting a 3rd party form, he can access that forms data with a script and post in with AJAX to his pages/WSs or whatever. Hacks can be done everywhere, anytime. The recent GMail exploit is a very good example - google for it if you haven't heard of it. The author asked whether data in the iframe will be secured as it is - regardless the non-secure page wrap - and the answer to that is yes. Whether that page wrap is harmless or not, is really up to him...

Stilgar.
0
 
LVL 12

Expert Comment

by:pigmentarts
Comment Utility
data would only be secure in the iframe if the page it was embedded on, was also on SSL. in this case the information is NOT secure in the iframe because its embedded on a none secure page.  the author never said 'regardless', they were aksing about their own circumstances, and in this case it's NOT secure! the gmail attack that was due to Google storing data in javascript on their own server, and this allowed users to call the function and get access to information. this does not relate to SSL but a flaw in their logic. infact because of secure SSL no script could be run on google sever all attackers where doing was calling a function they created for them.

we could go around forever on this, lets agree, to disagree here.  
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Read about why website design really matters in today's demanding market.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now