What are the dangers of using an SSL iframe within SSL pages

Question

Is it safe to use a SSL iframe within a SSL page. The SSL frame contains a form.

Answer 1

An important part of the security offered by HTTPS is the verification of the identity of the server to which you are talking. This is done by verifying that the certificate is genuine and that it matches the requested host name.

Although most aspect of the verification are done technically within the browser (PKI verification and host name matching verification), the last step is a user-interface point of view, and must be done visually by the user. Checking that users are using HTTPS correctly when they intend to use it is solely their responsibility.

If you intended to go to https://www.google.com/, but typed https://www.g-o-o-o-o-o-gle.com, both could have genuine certificates (Anyone can get a certificate nowadays, even attackers, the rewards can be worth the investment). It's up to the users to make sure they're visiting the site they intend to visit.

By embedding an iframe with an https:// link within another page (HTTPS or not in fact), you're preventing the user from verifying that they are connecting to the intended site. It's unrealistic to expect the users to check the page DOM to make sure the requests go to the host they are expecting it to go to. At this stage, the identity of the site within the iframe is hardly verifiable by the user: they really have to trust the embedder.

A good bad example of this comes from the banking industry, nothing less, which gave us 3-D Secure. Merchant websites are meant to include a page provided by your bank within an iframe, asking you to type in a password to check usage of your credit card. However, as a user, you have to put a lot of trust into the merchant site, because it could very well redirect you to a site under its control and proxy all the requests to the genuine bank site. It would look exactly like the genuine bank site, but the merchant (or an associate) could see everything you type. Not every user can be expected to use developer tools like Firebug (even for developers, if a bit of JS is involved, it can be very hard to track what is happening). (This is a bit of a shame, because one of the aims of this system is precisely to prevent fraud against bad merchant sites unfortunately.)

If you're embedding an HTTPS iframe within an HTTPS page, you're effectively vouching for its content and the interactions with it (just like you would for any other content you embed). Users can only be expected to verify your certificate, not what is embedded. This comes with a certain responsibility.