Why “Secure iframes” on HTTP Sites Are Bad for Security

Why “Secure iframes” on HTTP Sites Are Bad for Security

http://ift.tt/2qnE46W

Earlier this year it was reported that half of the web is now served over SSL (Wired.com). Still, quite a number of sites are trying to keep things in HTTP and to serve secure content in embedded parts of the site. There are two approaches to this:

  • A form embedded in an iframe served over https (not terrible but still a bad idea).
  • A form that loads over HTTP and submits over HTTPS (this is terrible).

The form loading on the HTTP site and submitting to an HTTPS site is, security-wise, meaningless, because an attacker can read the data entered into the form on the web page. This means the security added by HTTPS is lost because a Man-in-the-Middle attacker on the HTTP site can snoop on the data in the form directly.

java

via DZone.com Feed https://dzone.com

May 16, 2017 at 02:10PM

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s