SSL Iframe within a standard non ssl page

[idv]

Hi

I am just looking for some advice please, I have a SSL iframe from a 3rd party which includes an online ordering facility for oour website which is not an ecommerce site and is just standard http and not ssl.

Is it ok to just include the SSL iframe within the existing site which is non SSL

 

[nahosting]

In this scenario your users will get warnings. If the facility is to order items then you need to secure your site to give your users confidence in your website. This will aid conversion rates.

 

[ecoleman]

The customer will not get any warning in this case as you would be loading a SSL iFrame on a non SSL page. If you loaded a non SSL iFrame on a SSL page, then you would get warnings.

The only problem you will have is although you are loading a SSL page in the iFrame, the customer will not know that and may bail, thinking they are sending information over an insecure page.

As advised above, get a SSL certificate. They don't cost a lot.

 

[andygambles]

As advised by @ecoleman your users will not get a warning but no SSL certificate will be displayed to the user which may mean poor conversions as they will not know if the site is secure or not.

There is a chance (although very small) that someone could Man in the Middle your website and therefore change the contents of the iFrame.

 

[idv]

Thanks all

So would getting a ssl certificate make it totally secure even in the example of the last case where there was mentioning on tampering with the ssl iframe, although I suppose they can tamper with the URL string anyway whether it's in an iframe or not and that's down to the application security over ssl security

I suppose as the iframe has ssl and that's where the transaction is taking place then it would be totally secure anyway as the outer website is technically not doing anything apart from containing a mini webpage from within its self

There would be no difference in me just loading the URL directly in the browser window instead of the iframe as it's ssl the transport layer is still encrypted, it's only the conversions that might be an issue because of the outer website containing it

 

[ecoleman]

I suppose as the iframe has ssl and that's where the transaction is taking place then it would be totally secure anyway as the outer website is technically not doing anything apart from containing a mini webpage from within its self

That's correct. The page in the iFrame would behave exactly as it would if it was loaded in it's own page. The only difference is the customer would not a) be aware that it was an iframe and b) would not be aware that the contents of the iFrame was secure.

 

[idv]

Ok great that's what I thought, it's secure as the site called from the iframe is secure

 

[ServWise]

As has been mentioned, it should be secure but isn't giving your clients any assurance (Trust) in your website. Better to have the whole thing under SSL and then the client can see that they are using a secure site. An ssl can cost under £10 per year and with the cost of a dedicated IP the whole thing under £20 so it could pay for itself easily.

 

[antropy]

Agree with the above - you might as well put the page that contains the iframe on SSL as well.

 

[andygambles]

I suppose as the iframe has ssl and that's where the transaction is taking place then it would be totally secure anyway as the outer website is technically not doing anything apart from containing a mini webpage from within its self

The danger is from a MITM (Man in the Middle) Style attack. The attacker would need to poison the DNS or host records of the computer. Not hard to do with the lapse security many people have when connecting to open/free wifi.

Then when a user visits your site they could alter the code (by loading a copy of your site but with modifications) so that the iframe loaded is not the SSL page but an alternative page under the control of an attacker.

However if the main site used an SSL certificate then the visitor will receive a certificate mismatch warning if the MITM attack tries to load their own site rather than yours.

This sounds like someone would specifically have to target you. However there are devices and scripts such as SSL strip that automate all of this.

Sit in a Cafe and create your own open wifi hotspot. Amazing how many people will start using it.

 

[antropy]

Sit in a Cafe and create your own open wifi hotspot. Amazing how many people will start using it.

Sounds like the voice of experience?

 

[andygambles]

Sounds like the voice of experience?

I *may* have redirected every request to a Rick Roll

 

[antropy]

Hahaha! Brilliant! Would have loved to be there as that infamous tune started to blare out of random laptops!