Secure transactions on websites using frames are not always verifiable.

Posted on Thu 09/15/05 in Technical Interleude

I experienced something today that I had not yet seen in all my years of web browsing. While submitting an (implied) “secure” transaction on a website, I could not verify that the transaction was secure.

My experience has shown me that while I am browsing on an unsecured website, when it is time to send secure information, the URL in the address bar switches to https: and the lock at the bottom of my Firefox browser closes, ensuring that I am dealing with a secured server. This wasn’t happening in this case.

So, I called their company’s tech support and explained the situation. The person who answered the phone questioned me like I was an idiot. “Well, I’ve never heard of that before,” was how every answer sounded. After further explaining the details of my concern, he told me they would talk to the level 2 technicians and have them call me.

He ended up calling me back and was much friendlier. The techs basically said that it IS secure, but because the page uses frames in its design, it doesn’t show that it is secure – the main page could be unsecured, but the frame that needs to be encrypted IS secure. I simply could not believe that I had never come across this before, and I KNOW I’ve been to sites that use frames. He said they couldn’t give out too much information about their security detail, but that like their Privacy Policy says, it is secure.

I offered an analogy to the gentleman on the phone:

“Let’s say that we agree that every day when you leave the house, I come over and lock the door for you. But, every day when you come home, the door appears unlocked—i.e. you cannot see the deadbolt through the crack or whatever. But, when you ask me about it, I show you a piece of paper that says I’m locking your door.”

He asked me not to shoot the messenger.

I decided to engage in a chat with Verisign’s support agent, since they are the company’s Certificate Authority. The support agent confirmed what the phone tech had told me:

“I’m not an expert with website design, but I do know that frames can affect the site in such a way where it will prevent the security padlock from displaying on the page, even though the transmission is indeed secure. We are really only the Certification Authority so we do not deal too much with website configuration and design.”

At this point, I was mostly convinced, but not really.

So attempted to open the frame in question in a new browser window using Firefox’s excellent frame management function. I opened the frame which contained the credit card number entry field. This can be done by Right-clicking on the field entry box, selecting This Frame from the sub-menu, and then selecting Open Frame In New Window.

When the page opened, it WAS secure. I searched other privacy policy of some other large companies and found the following statement to be included similarly in many of them:

Secure Mode and Frame-Based Web Pages
Security may be operating without displaying any security icons (or Netscape may show the “broken key” icon) if only part of a frame-based page is employing security. You can verify the security of a page within a frame by opening it in a new browser window. Both IE and Netscape allow you to open a link in a new window by right-clicking on the link and selecting that option from the pop-up context menu. When a secure page is open in its own window, instead of being viewed within a frame, you can then see the security icons provided by your browser as well as the “https://” secure protocol prefix in the URL string.

Besides this instance, I found one other spot on the website in question that implies a secure connection; however, I have not been able to verify the secure transaction for this instance. In this case, the button says “Secure Checkout,” and upon pressing, moves you to a screen to confirm your order. When I tried to open the frame in a new window, it was not secure. When I pointed this out to the tech support rep, he told me that it had previously said “Checkout”, but that people complained, so they changed it to “Secure Checkout”. We actually both laughed about that irony, and I figured that was the reason I had never noticed it before. When it had not said “Secure”, I didn’t care. I wasn’t entering my credit card information, so I didn’t care if someone knew that I ordered a pack of widgets. But, I figured that this company could face some serious problems IF they had been missing something this big. Turns out that I learned something today.

Something to add?

# Jackie wrote on Fri 09/16/05 at 11.30 AM:

Although this may not be exactly what you are talking about:

I think that is so funny that you wrote about that because I am in the process of building a website for a secretarial business and in doing so am using an inline frame for the shopping cart so that when a person presses the add to cart button it doesn’t take them to another site but keeps them on the same site so that they can see what they purchased and not get confused as to why they are going to another site. I don’t know if that makes since but…since I know that not everyone is computer savvy I want to make sure that no one is confused and their shopping experience is quick and easy.

Commenting is closed

Commenting is closed for this article.