[ProgSoc] HTTPS and Frames

[Bryn Price <redshift@nospam.progsoc.uts.edu.au>]

This ones been bugging me for a few days now. Here is the senario. I
access a online retailer, which utilises a secure shopping cart. Now so
that they always have their root domain and no path in the browser
lcoation window they have a Frameset with ine main frame in it. Now when
you go to the 'enter payment details screen' you don't get a URL starting
HTTPS, and there is no little padlock at the bottom. I've drilled into the
HTML and found that the main frame is indeed served by a secure server
(via HTTPS) so i therefore trust that it comes from the correct
location. But can i trust the overall page as the frame it is contained
within isn't secure?

Picture this, I as a malicious user link there site from my page, but
instead of linking to their frameset i create my own, but get the main
frame served fomr there webserver. THen on the payment details screen I
have another hidden frame that using javascript copies the credit card
details and saves them/emails them etc. Now the frame they enter the
details in is trusted and secure and the data is encyrpted back to the
webserver on the form POST, but the whole browser window is not secure.

DOes this sound right? DOes this mean you should never have your payment
entry details within a frame if the frameset is not sent
securely? Comments / links to standards docs et would all be appreciated

Cheers,
Bryn


--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

Bryn D Price
bdprice@nospam.it.uts.edu.au
redshift@nospam.progsoc.uts.edu.au
bryn@nospam.progsoc.uts.edu.au


-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@nospam.progsoc.uts.edu.au.
If you are having trouble, ask owner-progsoc@nospam.progsoc.uts.edu.au for help.