Security Basics mailing list archives
RE: HTTPS vs encrypted frames in HTTP
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 17 Dec 2003 09:48:25 -0800
The browser would still have to do the SSL handshake with the webserver and thus the data transmitted from the browser to that webpage should be encrypted. Personally I feel its bad design to not have the 'Padlock' because that will generate customer complaints and turn away weary customers. Also if you can see the SSL cert and it's from a trusted source, Verislime or others, then you should be ok. I'd look at the source of the frame page; it's probably calling the other frames with an http:// URL while the 'secured' frame is an https:// URL. For a second there I thought you were talking about network frame, boy I've been around wires way too much! Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: b00 dog41 [mailto:b00dog41 () hushmail com] Sent: Wednesday, December 17, 2003 7:06 AM To: security-basics () securityfocus com Subject: HTTPS vs encrypted frames in HTTP Hello all, Hope this is the correct forum to post. I have an commercial website my company uses for purchases. We have made our users aware of checking that the sites they purchased from use HTTPS. A user called because this site does not use HTTPs in the user profile (credit card entry/edit and shopping cart areas). The web site vendor claims they are secure because they encrypt the frames with SSL vs encrypting the whole web page via HTTPS. I have not seen this before and am uncomfortable with the technique. We can in fact see the cert by right clicking on the frame and choosing properties. My question: Is frame encryption good enough? Is there a method or known vulnerabilities to entercept traffic. Bottom line: Should I be worried about this? Any information would be greatly appreciated.... B00Dog41 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- HTTPS vs encrypted frames in HTTP b00 dog41 (Dec 17)
- Re: HTTPS vs encrypted frames in HTTP Sasha (Dec 17)
- Re: HTTPS vs encrypted frames in HTTP Eloi Granado (Dec 18)
- <Possible follow-ups>
- RE: HTTPS vs encrypted frames in HTTP Shawn Jackson (Dec 17)
- Re: HTTPS vs encrypted frames in HTTP Sasha (Dec 17)