Safety - iframing ssl website and interception of input data

[patipat]

I am pondering on quite an interesting question.

I have two websites. One secured with ssl and second one without ssl. I thought that I will make on the first one a form where netizens can input their email addresses and inframe the form with joomla's wrapper on the second website (the one without ssl). So my question is if email addresses are input through the website without ssl to the form on the website with ssl then could the users' data be intercepted by some bad guys?

I know that there are some iframe attacks, but as I understand there must be involved website established by a bad guy or at least website that is compromised by him. In my case I think it is irrelevant because both websites are mine. And it doesn't matter that there are two websites instead of one as the only one can be compromised as well. Or maybe I am wrong???

[AMurray]

As far as I understand your question..... you're saying "Site 1" is SSL, and will contain the form. Site 1 will load into Site 2 via an iFrame (Site 2 is non-SSL).

If the form is on the SSL site, then the data would be encrypted during transmission.

However, the risk of the iFrame being exploited by malicious users to compromise your site is not reduced regardless of SSL use (I don't know if that was the point of your question). Maybe consider the 1.14 million hits on "why iframes are bad"

Why do you actually need two sites to do this - why not just either put SSL on the other site (given you can get free SSL e.g. Let's Encrypt), or build the form within the first site that already has SSL?

Also, even though the site loads within an iframe as you have set it, it could also be accessed outside the iframe, in the browser as any other normal site if one had the direct URL for it.

[patipat]

Thank you for answer. You understand my situation correctly. So as I am the owner of both sites it seems that there is no greater risk than running the form on only one site:

As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware.There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe.

If you control the content of the iframe, they're perfectly safe. The IFRAME element may be a security risk if your site is embedded inside an IFRAME on hostile site

https://stackoverflow.com/questions/728 ... urity-risk

I want to establish the scenario with two websites (one is non-ssl, second one with a form is ssl) because:

- my web hosting provider raised the price of ssl by a factor of 4
- I told him that in that case I would buy no new ssl from him
- I am using a shared hosting and my web hosting provider doesn't let me install ssl from other sources by my own. I need to ask its support for paid installation but then it costs even more than the aforementioned ssl
- it's a matter of honor now

[AMurray]

I'd change hosts. I'm surprised this host is so restrictive with the SSL. My host provides Let's Encrypt and I can easily install it on any hosting account with that provider through cPanel.

As soon as you're displaying content from another domain, you're basically trusting that domain not to serve-up malware.There's nothing wrong with iframes per se. If you control the content of the iframe, they're perfectly safe. The iFrame element may be a security risk if your site is embedded inside an IFRAME on hostile site

I don't necessarily agree with the above statement. I think the risk exists, that your site could be compromised and a malicious user could insert their own iFrame code in your site to load their code.

But also another question, why not use a form component, and put the contact form within the site that already has SSL? That way, you remove the issue of iframes altogether.

[patipat]

Yes, in some time I will probably change this host but for now I have there hosting service active so I need to wait. I think this is their 'new business model' to monopolize ssl and 'optimize' revenue from clients

According to you for malicious user it is easier to attack my website with iframe than similar website without iframe, is it correct? But as I found out there are tons of websites with [youtube] movies and google maps iframed. So why so many website owners take the risk of being compromised and no one warn them?

I am not sure what you mean when you mention about using a form component. I have already installed (in the meantime I've made some preparations) a form component on the website that has ssl. I iframed the ssl website on the non-ssl website because I don't want to buy ssl. And I used iframe because I didn't want netizens to see that the form is under different domain and spare them additional click to get from one website to another.

[xman-logan]

Ok, guys here are my two cents. SSL only encrypts data during transmission...SSL does not protect the rest of the pages in the entire website. SSL websites can be hacked? Yes!

But In your escenario here, by using an Iframe your users are actually working on site1 which is ssl this is the same as working on a remote desktop as long as the the connection is secured everything that is happening is secured.

If Site2 is hacked that will not affect the iframe form, The from will continue operational on site1.

Solution: You should implement other securities to minimize risk on site1, for example use captcha to capture information, implement a global firewall to protect your pages and components. Set your register users to self when they signup so that they will manually verify their account and perform a backup at least once a month, if you can do it every week or twice a week even better.