Re: HTTPS vs encrypted frames in HTTP

[Sasha <alserkli () inbox ru>]

On Wed, 17 Dec 2003, b00 dog41 wrote:
> The web site vendor claims they are secure because they encrypt the
> frames with SSL vs encrypting the whole web page via HTTPS.  I have not
> seen this before and am uncomfortable with the technique.  We can in
> fact see the cert by right clicking on the frame and choosing
> properties.
This can mean that they send encrypted messages over http, or that you
have browser window divided into frames, and on of the pages use https. I
guess the second explanation is the correct one.

> My question:  Is frame encryption good enough?  Is there a method or
> known vulnerabilities to entercept traffic.
Well, if you know url of the page you can as well open it in the separate
window. Unless there are bugs in you browser which allows a script from
one frame read values set in another frame and scripts in other frames
exploiting this bugs you have no problem.

> Bottom line:  Should I be worried about this?
If you concerned with network interception -- NO.

Regards,
ASK


---------------------------------------------------------------------------
----------------------------------------------------------------------------