Hello I would like to implement a payments on my web site.
I have a requirements that to do it in iframe with hidden address bar.
But in this case user would't be abble to see that we are using HTTPS protocol for sending data and e.t.c
Does is it good practice or it is looks like security issue ?
I don't think it is a good idea to hide HTTPS information from end users. If you look at any web security for dummies kind of guide, they all say that when you enter private/financial information etc make sure your address bar display the lock etc.
Even though you may in your HTML that you are using HTTPS, do you really expect users to "view source" your HTML and/or use Fiddler etc? No right?
So, do the right thing- show HTTPS URL.
BTW, from security perspective, if the first page you serve is NOT over SSL, someone could just modify HTML and inject a malicious HTTPS link with valid cert. That is why it is very important to have SSL enabled on your whole website.
No wonder HTTP 2.0 is going to be all SSL :)
Technically you don't need HTTPS if you are using iFrames for checkout. Ofcourse the 3rd party website is always protected... BUT since you cannot explain this to your customers/clients, so you have to have a HTTPS even you are using iFrames even it is secure but to make your customers feel actually that they secure you should have SSL (HTTPS).. Or I know many of your customers will simply leave your website... SO YOU DO NEED IT... YES
Related
I'm looking at buying an airline ticket, and I'm having to enter my credit card details in a http:// page, that looks like this:
If I look at the source code, this is actually an iframe with an HTTPS source, so this actually secure, but a non-tech-savvy user has no way of knowing that. Obviously, this is horrible (even for tech-savvy users).
Now, my question is, if I was the site offering this iframe (Verified by Visa in this case), is there a way that I could force modern browsers to not allow my page to be used as an iframe on http:// pages, but still allow it to be used as an iframe on https:// pages? Is there a technique that Verified by Visa really should be using here?
I'm looking at buying an airline ticket, and I'm having to enter my credit card details in a http:// page
Ouch! Someone's breaking the PCI-DSS terms of their merchant agreement huh.
If I look at the source code, this is actually an iframe with an HTTPS source, so this actually secure, but a non-tech-savvy user has no way of knowing that.
Indeed. You'd have to look at all the source code, including every piece of script on the parent page, to ensure that there is nothing interfering with the iframe (eg via clickjacking) and that the image you see in the browser page actually is the secure iframe. And ensure there were no other tabs open from the same domain with a reference to the window to cross-document-script into it... a non-starter.
if I was the site offering this iframe (Verified by Visa in this case), is there a way that I could force modern browsers to not allow my page to be used as an iframe on http:// pages, but still allow it to be used as an iframe on https:// pages?
I believe you could do it using Content Security Policy Level 2, eg with the header:
Content-Security-Policy: frame-ancestors https:
However support is patchy: at the time of writing, even the latest IE and Safari don't support it, and obviously it didn't exist at the time 3-D Secure implementations were being written. Still, if it just complains some of the time that would be enough to let an unwitting merchant know they'd messed up their payment integration.
One other thing they might have been able to do back then would be to check the Referer header for an http: address. Still not reliable (and maybe tricky to make work for all possible flows including redirect and pop-up, and in-between redirections) but could have helped.
So this is a somewhat broad question, I know, but I'm hoping someone who is wiser than I can provide a summary answer that can help wrap up all of the ins and outs of SSL for me.
Recently I watched a video of Moxie Marlinspike giving a presentation at BlackHat, and after the hour was up, I thought to myself, "It doesn't really matter what I do. There's always a way in for a determined hacker." I recall his final example, in which he demonstrated how even using a redirect when the user typed in an HTTP address to go directly to HTTPS, there is still an opportunity in that transition for an attacker to insert himself via MITM.
So if browsers always default to HTTP, and users very rarely enter an HTTPS address directly in the address bar, then an attacker who is listening for accesses to Bank X's website will always have an opportunity during the HTTP -> HTTPS redirect to gain control. I think they have to be on the same network, but that's little consolation. Seems like Marlinspike's point was that until we go straight HTTPS as a standard rather than an alternative, this will always be a problem.
Am I understanding this correctly? What is the point in redirecting to HTTPS if an attacker can use MITM during the transition to gain control? Does anyone have any clue as to preventative measures one might take to protect himself? Would redirecting via javascript that obfuscates the HTTPS links (so they can't be stripped out in transit) be of any help? Any thoughts would be appreciated!
You can use HSTS to tell the browser that your site must always be accessed using HTTPS.
As long as the browser's first HTTP connection is not attacked, all future connections will go directly over HTTPS, even if the user doesn't type HTTPS in the address bar.
There are no actually any information leak in HTTP/HTTPS redirect if implemented properly on server side (i. e. if all dangerous cookies are marked as "HTTPS only" and inaccessible for JavaScript).
Of course, if end user doesn't know anything about security, it can be hacked, but from the other hand, if you user doesn't know even basic security rules and there are not system administrator who will explain it to user, it is possible to hack such user in so many ways that HTTP to HTTPS redirect problems is not really trouble.
I saw many users who downloaded and run unknown EXE files from server just for promise to "win 1000000 dollars", which is also a good way to hack them (even better than to exploit redirection, if you run as EXE in user computer, you are already king here and can steal any user cookies under default security settings).
So, if user collaborates with hacker and helps hacker to hack his own computer, yes, such user will succeed to be hacked, but security is about professionals who ready to protect himself and not about user who may be publishes his PayPal cookies somewhere on Blogpost and after that surprized that he is hacked.
I have a site that can be accessed both through http (http://mysite.com) and https (https://mysite.com). The https version holds secured content, while the http content is for public use. Both contents are on the same server.
Some of the https pages contain some elements such as images that are hosted on the http pages. So when one goes to the https site, IE's security alert pops up saying that the content required contains nonsecure data. knowing that there is no risk anyway, I want to stop that popup. Is this something to be done only through the IE's settings on the client side or do I need to do something about the SSL certificate and configurations? Any guide is highly appreciated.
IE isn't the only browser that will give a popup of that nature. From memory, Firefox and Chrome have similar warnings (like they remove the padlock, or make the https go red in the address bar, instead of green).
The only way you can get it to go away is to only reference https resources in https pages. Have you checked to see what you're referring to doesn't have a secure version? All of the tools I have used generally have an equivalent https:// domain.
Please understand that the alert is there for a reason. The SSL certificate in place protects against man-in-the-middle attacks*. If you load in resources from non-https sources, then the man-in-the-middle protection you otherwise would have, is lost. The user's data may still be encrypted, but it doesn't really matter if the user is sending all his data to an attacker's computer that is decrypting it itself!
You need to remember that HTTPS is an all-or-nothing scheme. As soon as you introduce a non-HTTPS element into your page, you have essentially lost all the security that SSL has to provide.
Please mount your resources (or somehow make them available) on both HTTP and HTTPS URLs and load them accordingly. If you don't you are putting your users at unnecessary risk.
*only if you have a fully valid SSL certificate.
First, let me admit that what I know about HTTPS is pretty rudimentary. I don't know much about session security, encryption, or how either of those things is supposed to be done.
What I do know is that web security is important; that horror stories of XSS, CSRF, and database injections pop up over and over again. I know that a preventative stance against such exploits is better than a reactive one.
But the motivation for this question comes from a different point of view. I work at a site that regularly accepts payment from users. Obviously, the payments are sent over a secure channel (HTTPS). I mainly work on the CSS, HTML, and JavaScript of the site. What I've been told is that it is necessary to duplicate CSS, JavaScript, and image files before they can be called over HTTPS. So assume I have the following files:
css/global.css
js/global.js
images/
logo.png
bg.png
The way I understand it, these files need to be duplicated before they can be "added" to the HTTPS. So a file can either be under security (HTTPS) or not.
If this is true, then this is a major hindrance. In even the smallest site, it would be a major pain to duplicate files and then have to maintain them every time you make a CSS or JS change. Obviously this could be alleviated by moving everything into the HTTPS.
So what I want to know is, what are the pros and cons of a site that is completely behind HTTPS? Does it cause noticeable overhead? Is it just foolish to place the entire site under encryption? Would users feel safer seeing the "secure" notifications in their browser during their entire visit? And last but not least, does it truly make for a more secure site? What can HTTPS not protect against?
You can serve the same content via HTTPS as you do via HTTP (just point it to the same document root).
Cons that may be major or minor, depending:
serving content over HTTPS is slower than serving it via HTTP.
certificates signed by well-known authorities can be expensive
if you don't have a certificate signed by a trusted authority (eg, you sign it yourself), visitors will get a warning
Those are pretty basic, but just a few things to note. Also, personally, I feel much better seeing that the entire site is HTTPS if it's anything related to financial stuff, obviously, but as far as general browsing, no, I don't care.
Noticeable overhead? Yes, but that matters less and less these days as clients and servers are much faster.
You don't need to make a copy of everything, but you do need to make those files accessible via HTTPS. Your HTTPS and HTTP services can use the same doc root.
Is it foolish to put the whole site under encryption? Typically no.
Would users feel safer? Probably.
Does it truly make for a more secure site? Only when dealing with the communication channel between the client and the server. Everything else is still up for grabs.
You've been misinformed. The css, js, and image files need not be duplicated assuming you've set up the http and https mapping to point to the same physical website on the server. The only important thing is that these files are referenced with https when the page you're looking at is also under https. This will prevent the dreaded security message that says that some objects on the page are not secured.
For every other page where you're running the site under http (unsecured) you can reference those same files in the same locations, but with an http address.
To answer your other question, there would indeed be a performance penalty to put the entire site under https. The server has to work hard to encrypt everything it sends over the wire. And then some not-so-old browsers won't cache https content to disk by default, which of course will result in an even heavier load on the server.
Because I like my sites to be as responsive as possible, I'm always selective about which sections of a site I choose to be SSL-encrypted. In most typical e-commerce sites, the only pages that need SSL encryption are the login, registration, and checkout pages.
The traditional reason for not having the entire site behind SSL is processing time. It does take more work for both the client and the server to use SSL. However, this overhead is fairly small compared to modern processors.
If you are running a very large site, you may need to scale slightly faster if you are encrypting everything.
You also need to buy a certificate, or use a self signed one which may not be trusted by your users.
You also need a dedicated IP address. If you are on a shared hosting system, you need to have an IP that you can dedicate to only having SSL on your site.
But if you can afford a certificate and private ip and don't mind needed a slightly faster server, using SSL on your entire site is a great idea.
With the number of attacks that SSL mitigates, I would say do it.
You do not need multiple copies of these files for them to work with HTTPs. You may need to have 2 copies of these files if the hosting setup has been configured in such that you have a separate https directory. So to answer your question - no duplicate files are not required for HTTPs but depending on the web hosting configuration - they may be.
In regards to the pros and cons of https vs http there are already a few posts addressing that.
HTTP vs HTTPS performance
HTTPS vs HTTP speed comparison
HTTPs only encrypts the data between the client computer and the server. It does not software holes or issues such as remote javascript includes. HTTPs doesn't make your application better - it only helps secure the data between the user and your app. You need to make sure your app has no security holes, practice filtering all data, SQL, and review security logs frequently.
However if you're only responsible for the frontend part of the site I wouldn't worry about it but would bring up concerns of security with the main developer for the backend.
One of the concerns is that https traffic could be blocked, for example on Apple computers if you set parental control on it blocks https traffic because it can't read the encrypted content, you can read here:
http://support.apple.com/kb/ht2900
https note: For websites that use SSL
encryption (the URL will usually begin
with https), the Internet content
filter is unable to examine the
encrypted content of the page. For
this reason, encrypted websites must
be explicitly allowed using the Always
Allow list. Encrypted websites that
are not on the Always Allow list will
be blocked by the automatic Internet
content filter.
An important "pro" for more https at your site is the following:
a user connecting thru an unencrypted WiFi, like at an airport, can give their password in https, but if the site then switches back to http after the password page, the session cookie becomes exposed and can be immediately used by an eavesdropper.
See this article http://steve.grc.com/2010/10/28/why-firesheeps-time-has-come/#comment-2666
Okay, so I have created a webpage for a client who is using https protocol, but wants to stream video from a non-secured source (not YouTube, unfortunately). Best case scenario: I'd be looking for a way to stream the video without getting security warnings for mixed content (especially a problem in any IE). I realize this may be impossible, so my secondary question would be how to put some sort of placeholder into the page if the user decides not to view the non-secure content. This way my layout is not totally butchered. Obviously though, it would be best not to trip any security issues. The video we are trying to stream is accessed via the below code (given by client for embedding), if that helps anything. Any help is appreciated!
<script src="http://video.bigthink.com/player.js?height=183&autoplay=0&width=325&deepLinkEmbedCode=Y5M3U4MTq4-WJs8Wn0bLOXi0AeGcxHf4&embedCode=Y5M3U4MTq4-WJs8Wn0bLOXi0AeGcxHf4"></script>
Usually you just have to change the src from http to https, unfortunately these video sites are not thinking about secuirty and refuse to pay $30 for a certificate. I think your best bet it to make that specific page non-https or use an iframe.