Home page logo

basics logo Security Basics mailing list archives

RE: HTTPS vs encrypted frames in HTTP
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 17 Dec 2003 09:48:25 -0800

        The browser would still have to do the SSL handshake with the
webserver and thus the data transmitted from the browser to that webpage
should be encrypted. Personally I feel its bad design to not have the
'Padlock' because that will generate customer complaints and turn away
weary customers. Also if you can see the SSL cert and it's from a
trusted source, Verislime or others, then you should be ok. I'd look at
the source of the frame page; it's probably calling the other frames
with an http:// URL while the 'secured' frame is an https:// URL.

        For a second there I thought you were talking about network
frame, boy I've been around wires way too much!

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: b00 dog41 [mailto:b00dog41 () hushmail com] 
Sent: Wednesday, December 17, 2003 7:06 AM
To: security-basics () securityfocus com
Subject: HTTPS vs encrypted frames in HTTP

Hello all,

Hope this is the correct forum to post. I have an commercial website my
company uses for purchases.  We have made our users aware of checking
that the sites they purchased from use HTTPS.  A user called because
this site does not use HTTPs in the user profile (credit card entry/edit
and shopping cart areas).  

The web site vendor claims they are secure because they encrypt the
frames with SSL vs encrypting the whole web page via HTTPS.  I have not
seen this before and am uncomfortable with the technique.  We can in
fact see the cert by right clicking on the frame and choosing

My question:  Is frame encryption good enough?  Is there a method or
known vulnerabilities to entercept traffic.

Bottom line:  Should I be worried about this?

Any information would be greatly appreciated.... 



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]