0

have developed this new website in ASP.NET MVC 3 (so I don't think if I can use AJAX)

So I want to create a page on this new website like this: www.mynewwebsite.com/store

within that page, I want to use iframe and show the old e-commerce website so that people will be in the same domain name i.e. new website and they will be able to buy products from old website being on the new website.

I have an old e-commerce website that I am trying to use as source in iframe has SSL certificate, you think if somebody will buy something within the iframe session on ssl, it might cause problems because the url in the address bar will be the new website ? or it won't affect ?

super
  • 4,139
  • 4
  • 23
  • 20
  • http://stackoverflow.com/questions/2387691/ssl-iframe-is-embedded-on-other-web-site – MTZ4 May 27 '14 at 05:59

1 Answers1

1

Authentication of the server is fundamental for securing the HTTPS connection. This means that users must be able to see that they're on the right site, with a verified certificate.

If your "outer" site (the one that contains the iframe) is using plain HTTP: this is clearly bad practice, since the users won't be able to see they're using HTTPS properly at all. Mixed content is to be avoided both ways.

If the outer site is using HTTPS (with a different host name and certificate), it effectively vouches for what it serves through the iframe, implicitly, or at least this should be the expectation to have for presenting the outer frame with a verified certificate. I wouldn't consider that "best practice", but it's not as bad.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • yes I understand customers won't be able to see if they are doing the transaction by using SSL or not. But my question is about security. If iframe background source is using SSL and my main website is NOT using SSL, during the checkout process, will SSL certificate from the iframe source will cause any problem or not because the url in the address bas will be of current website ? – super Nov 04 '11 at 17:19
  • The ability for the users to be able to check what they're using is an integral part of the security aspect. This essential to any security assessment. If you're looking for a more technical aspect to this, an attacker could do a MITM attack on the containing page and replace the iframe link to your site by a link to a fake site (perhaps proxy/similar looking). – Bruno Nov 04 '11 at 17:33
  • so in this situation what would you recommend ? the best practice ? I don't want online customers to go to two different websites, it is too much work for customers to change in pages again and again. – super Nov 04 '11 at 17:51
  • At the very least, the outer page also served via HTTPS (and all its content: images, javascript...) – Bruno Nov 04 '11 at 18:44
  • In that case 2 ssl certificate won't conflict with each other ? – super Nov 04 '11 at 20:19