If I have a frame embedded into a html page. The page connects through http. My question is:
If my frame connects through https is the connection and everything still encrypted despite the fact that the container page connects through http?
UPDATE: Thank you everyone. So it is encrypted :)
Everything which is transfered through https is encrypted.
If your https page contains elements which are not encrypted (only http), the browser will warn you unless you have turned of the warning.
So yes, your frame will be loaded as https and will be encrypted if the content url is a https one.
If you want to be sure - install an http proxy and check the traffic through this proxy. You'll see html for your http requests and garbled messaged for https.
The iframe's connection and content will be encrypted, however, the user's browser will only show the "lock" icon if the containing page is https so making the iframe https and the containing page http is kind of pointless from that point of view.
Only the frame content, retrieved through the https connection, is encrypted.
If the encrypted frame content references (e.g. image links, other frames, etc) content it might still explicitly specify that that referenced content is not encrypted e.g. <img src="http://...."/>
Related
When sending data from a server / device through HTTP, to a destination that is enforced by https, is that data encrypted in transit?
HTTP -> HTTPS
Or does the source and the destination both have to enforce HTTPS?
A protocol is the language between a client and the server. This language might have features including ones related to security. HTTP is basically for browsers requesting web resources from web servers without any encryption, authentication or integrity protection. HTTPS is the same, but one that provides these features (HTTPS is actually HTTP, protected by TLS).
Each tcp connection between components uses one protocol (it's sometimes a little more difficult than that, but let's stick with this, it's good enough for now). In case of web components, it's typically either http or https. Each resource that is downloaded (a page, an image, a javascript file, any resource) is typically downloaded in its own separate connection. Whether that will be http or https depends on how the page references it.
So in practice, if you have a look at a html page that you downloaded over http, it can still reference resources with https urls, in which case those will be downloaded by your browser via https. It can also happen the other way round, a page downloaded over https can reference resources over plain http, but your browser will then warn you.
In short, your question doesn't make sense because you don't "send data through http, to a https destination". If the destination is https, the connection will be using https. In a web application, the page itself can be downloaded via http (in which case the html code and any data embedded in the html itself will not be protected against man-in-the-middle attackers), but it can reference further resources, images, css, javascripts via https, which your browser will then download securely.
Please forgive me if it seems a silly question, I have this doubt and couldn't find the answer on the web.
How browser and any other downloader downloads a file, which protocol is working at the backend HTTP or FTP.
As we all know HTTP can be used to transfer text, which can be rendered by the browser. It can also send binary data.
Let's say I want to access a webpage at www.xyz.com/index.aspx which has a static webpage with 2 images. As we all know a total of 3 HTTP requests will be made, one for webpage and other 2 for images.
But what about other files which have a big size. I mean suppose I'm downloading an mp3/mp4 files (having link given on the webpage). So, what protocol is working at the backend HTTP or FTP.
It depends on the url :
ftp://www.example.com/bla/bla/bla01.zip
will be fetched via ftp, and
http://www.example.com/bla/bla/bla01.zip
will be fetched via http
Of course we cannot simply change http:// with ftp:// as http need an http server, and ftp need an ftp server.
I need to build a Web site which would have a secure connection (HTTPS) on some pages. I need to know if there will be a difference for me (as a developer) while I will write the code? I must treat differently some data or what? What is the main difference from back-end view?
From the backend point of view, there is no difference. The difference between the two is the TCP connection between the server and the client. Https will be encrypted, http is not of course, but it's all decrypted by the time it hits your code. The server will have some flags available so you can determine whether the connection is http or https (names vary depending on the server) but unless you're using that information to change the behavior of the page, you don't need to worry about it.
We want to load a page of our platform into an iframe on a client site. Our platform contains a SSL certificate and runs always on HTTPS. The client's site runs on HTTP.
The URL that get's loaded into the iframe contains URL params for the name of the user. Are these url parameters send encrypted because the site in the iframe is HTTPS or are they accessible because the the parameters are created on the client HTTP site?
Short example:
Client site (HTTP) loads iframe with url "https://oursite.com/?firstname=Bob&lastname=Forrest". Are the URL parameters encrypted when they are transferred to the iframe site?
Thanks in advance.
The URL parameters will get encrypted. SSL sits between the HTTP and TCP layers, so the browser will first establish a TCP connection to the server before any data is exchanged. All data (including the request with the URL parameters) will be encrypted.
It is still generally advised to not pass sensitive information in the URL, as it will most likely get stored in plain text in the server logs.
I want to implement SSL with ASP.NET. I have generated a self signed certificate using selfssl. After that, I have assigned https bindings on port 443 (also tried alternate port 8443). When I access the website with https and enter credentials, fiddler shows passwords being passed in plain text. Why is that?
I am doing everything as it is supposed to be done. What am I missing? I have been all over the search engines for this and have done all of it but still missing something.
If you are using Fiddler's certificate (which you shouldn't do on your production machine for security reasons) then Fiddler has the ability to decrypt and show you your SSL traffic. If that's not the case, make sure you are submitting your form also to an HTTPS link.