Solved

Is it safe to embed a secure web page within an iFrame?

Posted on 2008-06-10
17
573 Views
Last Modified: 2010-04-21
Hello,

I'm hosting a secure form (https://www.mywebsite.com/myform.php) on a different server and I want to display it with an iFrame on a non-secure site:

<iframe name="i_frame" width="690" height="450" scrolling="no" src="https://www.mywebsite.com/myform.php"></iframe>

Is it safe to do so? Will the non-secure site over-ride the secure site?

Thanks
0
Comment
Question by:wattanabi2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
17 Comments
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21754222
its not secure you will have both secure and non-secure items on your page.  
0
 
LVL 14

Accepted Solution

by:
_Stilgar_ earned 500 total points
ID: 21754924
It is perfectly fine to do so as long you're keeping simple guidelines, although not recommended since web-browsers tend to warn users of such situations.

As long as the iframe is being loaded from an https:// location, and info is being submitted to an https:// location thats fine, since data will travel securely (form can be even loaded from http://, as long as the data you need to encrypt only travels on https://). This situation IS secure, but most likely your site users will not be able to see it is, since it is in an iframe.

Stilgar.
0
 

Author Closing Comment

by:wattanabi2
ID: 31465863
Hi Stilgar,

Thats what I thought. Is there a more technical way to explain this? Mainly how the embedded iFrame is technically behind a non-secure site, yet the actual transaction is secure.

thanks
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 14

Expert Comment

by:_Stilgar_
ID: 21755031
Sure. In my post the technical explanation lies - as long as data is being transmitted on a secure channel, this is fine. When your iframe posts to an https:// location, it uses SSL sockets, which create a secured channel.

Stilgar.
0
 

Author Comment

by:wattanabi2
ID: 21755046
Perfect. Thanks Again!

=======
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21755243
allowing mixed content is a security risk. Everything should host through HTTPS!
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 21755280
Ideally, yes, but what is going through a secured tunnel is secured - a web browser is loading data asynchronously, so what is secured is left secured, and what is not is not. Can you explain what risk there is to the secured data?

Stilgar.
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21755332
The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content. this can be done in script very easy on the non-secured page a script could send screen grabs back asynchronously if it wish to. i write payment gateways if you want your data to be truly secure you should not do this.  
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 21755378
Yes, but as long as you're the author of the two I don't see any reason for not doing that if you must to for some reason (minus the fact web-browser will probably nag you about it, or will not care tell you the iframe is secured). This is the case btw with many ads in secured sites throughout the web.

Stilgar.
0
 

Author Comment

by:wattanabi2
ID: 21755468
Maybe this will clear things up. I found a site that is currently doing this:

http://www.jeffcopublicschools.org/misc/employee_connections.html

Note the embedded iFrame:

<iframe vspace="0" hspace="0"  id="i_frame" name="i_frame" allowtransparency="true" frameborder=0 width="690" height="450" scrolling="no" marginwidth=0 marginheight=0 src="https://slb.jeffco.k12.co.us:472/websurvey/Login.cfm" align="left" title="Music Calendar"></iframe>
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21755472
the question was is it secure, and from a customers point of view it is NOT. if he/she is developing a commercial site i dont think the customers are just going to take the website owners word they are not going to be spying on them. payment system are secured so that not even the domain owner gets to see personal information entered this would defeat the point.

the other point is, its not just the author that could create such a script. if this is how data is being secured it would lead me to believe the site owner could have other server weaknesses that would allow me to upload such a script such as cross site scripting, holes in IIS etc. if a weaknesses could be found a script could find its way to the server very easy.

the last factor is that many customers concerned with security disable pages that show both secure and non-secure content. any browser like IE and FF have this option and many use it
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21755489
just because you found one site that doing it just not mean its correct, i can given you examples of millions that are not. ok its only a password screen but if this was payment details they would have major problems. just read the post above.
0
 

Author Comment

by:wattanabi2
ID: 21755538
I'm not saying that this is "correct". I'm only showing an example of a site that is currently doing what I want to accomplish just so that everyone is on the same page.
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21755578
if that all you are doing i dont see anyone going to big lengths to hack this. but you put people off and some like myself will not see the page because i dont display mix items.

you asked:

is it safe and secure - answer: its not.

Will the non-secure site over-ride the secure site: answer: yes, users on ie MAY get a popup telling them they are both secure and none secure..


i dont think you should have accepted the answer of _Stilgar_ as it not correct and bad advice
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21755614
sorry if i sound a little abrasive its late here (must go to bed). just want to make sure you get the correct facts to your question.
0
 
LVL 14

Expert Comment

by:_Stilgar_
ID: 21755736
@pigmentarts - even if the whole site is secured, and the webmaster is hosting a 3rd party form, he can access that forms data with a script and post in with AJAX to his pages/WSs or whatever. Hacks can be done everywhere, anytime. The recent GMail exploit is a very good example - google for it if you haven't heard of it. The author asked whether data in the iframe will be secured as it is - regardless the non-secure page wrap - and the answer to that is yes. Whether that page wrap is harmless or not, is really up to him...

Stilgar.
0
 
LVL 12

Expert Comment

by:pigmentarts
ID: 21758002
data would only be secure in the iframe if the page it was embedded on, was also on SSL. in this case the information is NOT secure in the iframe because its embedded on a none secure page.  the author never said 'regardless', they were aksing about their own circumstances, and in this case it's NOT secure! the gmail attack that was due to Google storing data in javascript on their own server, and this allowed users to call the function and get access to information. this does not relate to SSL but a flaw in their logic. infact because of secure SSL no script could be run on google sever all attackers where doing was calling a function they created for them.

we could go around forever on this, lets agree, to disagree here.  
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question