iframe an SSL secured form on a non SSL site | ansaurus

tags:

iframe
ssl

views:

488

answers:

1

+2 Q:

iframe an SSL secured form on a non SSL site

I have a request in from a client that would like one of their existing forms present on another website.

They would like to have a payment form present in an iframe.

What, if any, implications are there when iframing in an SSL website into a non-SSL website when payment processing is concerned?

+2 A:

Your users' browser will give them security warnings that basically say this is an unsafe scenario. For example, a man-in-the-middle attack could inject javascript into your non-SSL page and now you are potentially compromised.

In this scenario, a popup or flat-out page redirect is the appropriate way to do this. As you are probably well-aware, you want 100% of content in your browser to be hosted via SSL in this sort of scenario. Otherwise, you simply are not guaranteed to be protected. That's the reason for those warnings.

Jaxidian 2010-03-16 20:41:59

That's what I thought. I was just told we can also SSL secure the second site as well. That should get us out of unsecure content warnings. Thanks.

Kevin 2010-03-16 20:44:10

related questions

Why is access denied when installing SSL cert on IIS 5?

What does a PHP developer need to know about https / secure socket layer connections?

Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?

Coding Dojo with IE and SSL

Enforce SSL in code in an ashx handler

How to connect to PostgreSQL from .NET using TLS with both client and server authentication?

HELP SSL GURUs!!! ... Problems with SSL Connection

What's a clean/simple way to ensure the security of a page?

How to specify accepted certificates for Client Authentication in .NET SslStream

SharePoint stream file for preview

Problem with Oracle Application Server SSL Certificates

Is there a limit with the number of SSL connections?

Testing HTTPS files with MAMP

Cheapest SSL certificates

Limiting traffic to SSL version of page only

How do I support SSL Client Certificate authentication?

Why can't I connect to my CAS server with Perl's AuthCAS?

Is there a way to make Firefox ignore invalid ssl-certificates?

How do I create a self signed SSL certificate to use while testing a web app.

Can a proxy server cache SSL GETs? If not, would response body encryption suffice?

HTTPS in IIS 5.1

How do you redirect HTTPS to HTTP?

Debugging: IE6 + SSL + AJAX + post form = 404 error

How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

Options for Google Maps over SSL