SSL and Frames - Security Issue?

[jon_l]

I just had a customer say something that I found a little bit concerning. I tried a search through the forums and couldn't see anything on it being raised before so....

 

A customer found our site through a search engine. When the customer clicked on our link our site got opened up in a frame. Everything was fine until they went to checkout. At which point, the site did not switch to SSL as it should. I haven't been able to verify this yet, as I can't find our site in the search engine.

 

I'm guessing this is probably because the main page was not SSL, and so the frame wouldn't open as SSL. Is this correct? Or could there be another reason?

 

I realise this isn't an OSC problem, if indeed there is a problem. If it is as I suggested above, if there any way to stop checkout and ask the user to open the site in a new window?

 

By the way....the user commented on the site being very well laid out, easy to use and was very impressed that when they opened the site in a new window, it remembered what was in the shopping cart. This is on a site that is pretty much standard OSC....so a big pat on the back to Harald and the others....

 

Jon.

[Ian]

Jon,

 

When the customer went to checkout, your secure server will have been operating. Trouble is your customer will have no way of knowing this. As the site is in a frame the browser url will not change, and because the main frame page is not operating in ssl (ven though your site is) the ssl lock will not appear.

 

There are some javascript scriptlets that you can hunt out which will break you out of a frame, although I've never used them (and they rely on javascript :lol: )

[jon_l]

Is there any other options?

 

What about putting a warning message in the first secure page, offering the user a link to open the site in a new browser window if the site does not show as being secure?

 

A lot of people are becoming more and more aware about security, and this could be resulting in lost sales as they think the site is not secure.

 

Does anyone do anything regarding this?

 

Jon.

[hobbzilla]

My biggest suggestion is rid yourself of frames. They are not good from a search engine standpoint, nor a user-interface standpoint. Do some research and see for yourself that frame driven sites are baaaaadddd!

 

You can always open a new browser window for the pages you need in SSL (without javascript). Remember : all pages in the frameset have to be https for the lock to appear at the bottom and make it easy for the end-user to see that they are sending info secure. (they are still sending the info in the https frame securely.. but it isn't apparant to them.. and thus-bad).

[jon_l]

My biggest suggestion is rid yourself of frames. They are not good from a search engine standpoint, nor a user-interface standpoint. Do some research and see for yourself that frame driven sites are baaaaadddd!

An excellent point and one that I agree with totally. However, if you read my post you will see that I do not use frames (and never have) and that the frames are created by a search engine, which I obviously do not have any control over. If your site is listed by the same search engine, you will be experiencing exactly the same problem

 

All I can think of is to put a warning message up in checkout, explaining that whilst the pages are secure, this may not show if they are viewing the page through frames. Maybe adding a link to that page to open in a new window would do the trick.

 

Jon.

[mattice]

You could use javascript to break from the frame and a <noscript> to meta-refresh forward users that do not have js... Set a parameter to the meta refresh url which you check with php so it doesn't loop.

 

HTH

Mattice