Re: off-topic HTML frames & SSL

Mon, 1 Nov 1999 15:41:39 -0800 

Dragomir,
> Is it possible to have a properly working frame under HTTPS (SSL) in an
> unsecure frameset?

     Should be possible, the question is why?

> My e-commerce servlets run on an unsecure server and
> card authorization is performed on another (secure) server.
> In order to hide the card processing site, I want to do authorization
> in a frame so the URL on top of the browser is still merchant's URL.
> However, the security lock does not lock, and the security
> alert window does not pop-up (although this option is on).
> When I look at frame's properties, the URL is OK,
> i.e., https://...
>
> If I open the card processing site in a new window, everything is OK.
> I would really like to hide the secure site so everything looks like
> coming from the merchant's site.

     Okay, so if I'm reading this right, you want it to look like it's
coming from an unsecure site (unsecure frames, http:// instead of
https://, etc) but have the lock and other special effects of SSL work
as usual.  Do you see how self-contradictory this is?  The whole point
of the lock, alert, etc, is to comfort the user by telling them the
site they're accessing is secure.

     I'm guessing your goal is to use an external secure order
processing server that doesn't share the same domain name as your
merchant site, to avoid having to pay for a versign certificate and
whatever costs are associated with hosting an SSL server.  But you
don't want it to appear to the user that you're doing so.  Why not?

     It's not uncommon for small sites to do this, so why not just
have it be visible?  Depending on the amount of access you have to the
SSL server, you could just host the secure frameset there and have the
frameset pull the normal stuff off the main server.

Steven J. Owens
[EMAIL PROTECTED]
[EMAIL PROTECTED]

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to