32

Iframe from domain with SSLcertificate will be embedded on other site (foo.com).

  1. Must foo.com have SSL cerificate?
  2. If foo.com has SSL certificate, will it be an security error? foo.com has SSL certificate for foo.com, but iframe domain has other SSL certificate.
  3. If foo.com hasn't got SSL certificate, will it be an security error?
Mitchel Sellers
  • 62,228
  • 14
  • 110
  • 173
Sanhe
  • 486
  • 1
  • 4
  • 6

4 Answers4

29
  1. No.
  2. You will only get a security error if the embedding site uses SSL, but the iFramed one does not. Whether the sites use different certificates or not, that does not matter.
  3. No. (Isn't this the same question as #1?)

Summary

Having different certificates between the main page and iframed pages is not a problem.

Embedding https:// pages with <iframe /> on a http:// page is not a problem.

However, if you are running a https:// secured page that embeds non-secure pages via http://, then you might get something like this (Internet Explorer):

enter image description here

It depends on the browser and its settings. For example, in IE you can turn this off:

enter image description here

Tower
  • 98,741
  • 129
  • 357
  • 507
  • 2
    While the outer page doesn't have to be over SSL (in that in won't generate a warning), not doing so defeats the point of the iframe using SSL, since the user can't check it. In addition, displaying mixed content is always a bad idea. – Bruno May 01 '12 at 18:37
  • I'm not sure why you -1'd. I've never said displaying mixed content is a good idea, and my answer essentially states the same thing as your answer recently: http://stackoverflow.com/a/9913269/283055 -- that is: "Page served over https:// with an iframe using an http:// URL: will generate mixed content warnings, thereby introducing a potential security risk, and should be avoided." – Tower May 02 '12 at 06:30
  • Just the fact that you don't warn about the security risks. "*Must foo.com have SSL cerificate?*" no, should it? yes. Suggesting to turn mixed-content warnings isn't a good idea either. – Bruno May 02 '12 at 10:27
  • @Bruno I may not know if having an SSL certificate for someone's site is or is not a security risk. That's often not a security risk depending on the nature of the site. Besides, he asked the question "must ...?", and the answer is still: he must not. Whether he should or should not that is another question. He was not concerned of security, he was concerned of whether things break or errors are thrown. – Tower May 02 '12 at 12:48
  • embedding an HTTPS frame in an HTTP page is extremely bad practice. While this won't produce an error, web site designers must not use this construct to respect the security offered to the users by the embedded site. It's not a technical "must" in that it won't throw a warning, it's a "must" if you're concerned with security. – Bruno May 02 '12 at 13:01
  • 1
    Why is it bad practice @Bruno ? Say it's a plugin for another site, it authenticates SSL via iframe, what's the big deal? It's still SSL'd; cookies are SSL'd, what would the compromise be? – Michael Mikhjian Jan 28 '13 at 21:20
  • @MichaelMikhjian, because the user can't know that SSL is indeed used. A MITM attacker could easily downgrade the connection to plain HTTP (or perhaps have an HTTPS connection to a different site), this would go unnoticed. Checking that SSL is used and used with the correct party can ultimately only be done by the user: it's an essential part of its security. For this the address (and any HTTPS lock symbol or similar) need to be visible by the user. Embedding an HTTPS iframe into an HTTP page hides all this. – Bruno Jan 28 '13 at 21:51
  • @Bruno Valid points made. So it's really (from another perspective) validation through visual SSL. – Michael Mikhjian Jan 28 '13 at 22:51
  • 1
    in Firefox 23 and newer mixed content is disabled by default, so sure, you can turn it off in a browser. But still try to avoid it. – blissini Nov 21 '13 at 09:58
  • @Bruno It would be the fault of the server of the content in the iframe if it does not enforce requirement of SSL on all requests. That that has absolutely nothing to do with the use of SSL in the iframe. – Bon May 09 '14 at 00:01
7

The best way to look at an iFrame is to see it as almost a separate browser. In the case of foo.com not being SSL but the iFramed site being SSL you will not get any errors.

If you switch this around, where foo.com has SSL and the IFramed site doesn't, you can get a security warning about mixed-content from the browser.

Mitchel Sellers
  • 62,228
  • 14
  • 110
  • 173
1

It does not matter if the two websites use different SSL certificates. However, if the website that is being iframed is not SSL protected you will get a partially encrypted error message even if the website with the iframe embedded on it is SSL protected. I only know this because this is what I am dealing with right now. My web page was only secured after I took out the iframed website that did not have SSL protection.

Ben Lewis
  • 11
  • 1
0

While the main website (which contains the iframe) doesn't have to be using SSL, it really should, at least if security is a concern (which is the point of using SSL).

Not doing so prevents the user from checking that the iframe is indeed served securely and from which site it's from, which makes its usage of SSL useless. (Examples here.)

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376