We want to load a page of our platform into an iframe on a client site. Our platform contains a SSL certificate and runs always on HTTPS. The client's site runs on HTTP.
The URL that get's loaded into the iframe contains URL params for the name of the user. Are these url parameters send encrypted because the site in the iframe is HTTPS or are they accessible because the the parameters are created on the client HTTP site?
Short example:
Client site (HTTP) loads iframe with url "https://oursite.com/?firstname=Bob&lastname=Forrest". Are the URL parameters encrypted when they are transferred to the iframe site?
Thanks in advance.
The URL parameters will get encrypted. SSL sits between the HTTP and TCP layers, so the browser will first establish a TCP connection to the server before any data is exchanged. All data (including the request with the URL parameters) will be encrypted.
It is still generally advised to not pass sensitive information in the URL, as it will most likely get stored in plain text in the server logs.
Related
For example, does the URL http://www.google.com/ make the URL less safe, even though the default for this domain is with https?
Accessing a site using http:// (thus the unprotected unecrypted HTTP protocol) means that at least one unprotected HTTP request is sent to the server (most sites that support https will automatically redirect you to the https version).
This unprotected request can be intercepted by an attacker and thus send you arbitrary data back (malicious JavaScript code, redirect to other sites and so on).
The only exception is if you type http://www.google.com/ and you are using Chrome browser because Chrome will for addresses on google.com automatically change the entered URL to https:// before anything is sent on the network.
I'm running an asp.net core web application secured by ssl.
I need to send an ajax request to a local-network device which does not offer https.
So I try to send an ajax http request to a local ip adress (eg. http://192.168.1.30/hello-world) from a https browser window showing my web-app.
The url of the ajax request always gets converted into https://192.168.1.30/hello-world (which does not exist).
Is there anyway to avoid this? The device does not offer https and I can't send a local request from an insecured source.
Thank you!
I have a question regarding SSL encryption for streaming server.
I have a load balancer connected to main panel and both have SSL certs installed properly. However, when the stream is hosted in load balancer, the main panel redirects requests to Load balancer's protected stream link using a simple temporary token over HTTP, and I want encrypted credentials to be sent over HTTPS. I have tried using a redirect to HTTPS, but a sniffer shows that the HTTP header contains the streaming credentials in clear text, when I want them encrypted.
I don't have access to the streaming server and the files are encrypted, so I can't edit the server configs to force the HTTPS redirect. However, through the admin panel, I can add the domain of load balancer, so, for example, if my domain is Server.com, the main panel redirects to the load balancer using this format:
http://server.com?token=djnsjkdnjsnas.
Is there any way to write the domain name in a way, such as https://server.com, that will result in a redirect URL something like something like http://https://server.com, while ignoring the HTTP header and using HTTPS instead?
BTW, the streaming server is xtream iu, or the upgraded version of xtream codes.
To force https on the load balancer you need to send a simple command to your mysql database, via terminal,by default, xtream codes will use http, login to your mysql via putty then type in "UPDATE xtream_iptvpro.settings SET use_https='["1"]' WHERE id='1';" or you can apply the same update via phpMiniAdmin if your xtream build supports it, this will force https in the m3u playlist, add the id number of your load balancer to apply the changes. I used 1 as an example it wont be 1 that will be your main server so adjust accordingly. Also the ssl certs on both the main and load balancers will need to match the root domain, if you install individual ssl certs for each domain it will fail and wont stream. So you will need to use a multi ssl cert. Some will cover up to 100 domains on the same cert.
I've got an internal web application that's designed to work in concert with a server running locally on the client machine. (For the curious: the local server is used to decrypt data retrieved from the server using the client machine's GPG key.)
The internal web app is served over HTTPS while the local app is accessible via localhost. It used to be that I could make unencrypted AJAX requests from the page to localhost without any issues; but it seems that recently Chrome was updated to disallow HTTP requests to any destination from pages served over HTTPS.
I understand that in the vast majority of cases, HTTP requests from a page served via HTTPS constitute a security hole. However, since I have complete control over the endpoint in this case (i.e., localhost), it seems to me that it should still be perfectly safe to make HTTP requests to that one destination even when the host page has been served via HTTPS.
Is this possible? To whitelist localhost somehow?
Since you are in control of both the client and the server, it sounds like a good candidate for Cross-Origin Resource Sharing (CORS). The server will have to set a few response headers to give access to the client. You can learn more here: http://www.html5rocks.com/en/tutorials/cors/
If I have a frame embedded into a html page. The page connects through http. My question is:
If my frame connects through https is the connection and everything still encrypted despite the fact that the container page connects through http?
UPDATE: Thank you everyone. So it is encrypted :)
Everything which is transfered through https is encrypted.
If your https page contains elements which are not encrypted (only http), the browser will warn you unless you have turned of the warning.
So yes, your frame will be loaded as https and will be encrypted if the content url is a https one.
If you want to be sure - install an http proxy and check the traffic through this proxy. You'll see html for your http requests and garbled messaged for https.
The iframe's connection and content will be encrypted, however, the user's browser will only show the "lock" icon if the containing page is https so making the iframe https and the containing page http is kind of pointless from that point of view.
Only the frame content, retrieved through the https connection, is encrypted.
If the encrypted frame content references (e.g. image links, other frames, etc) content it might still explicitly specify that that referenced content is not encrypted e.g. <img src="http://...."/>