Why “Secure iframes” on HTTP Sites Are Bad for Security
Earlier this year it was reported that half of the web is now served over SSL (Wired.com). Still, quite a number of sites are trying to keep things in HTTP and to serve secure content in embedded parts of the site. There are two approaches to this:
- A form embedded in an iframe served over https (not terrible but still a bad idea).
- A form that loads over HTTP and submits over HTTPS (this is terrible).
The form loading on the HTTP site and submitting to an HTTPS site is, security-wise, meaningless, because an attacker can read the data entered into the form on the web page. This means the security added by HTTPS is lost because a Man-in-the-Middle attacker on the HTTP site can snoop on the data in the form directly.
via DZone.com Feed https://dzone.com
May 16, 2017 at 02:10PM