SSL and Frames

[Jamie Dulaney]

I'm working on a website that uses frames. Some of the pages that belong in
the 'main' frame (not the header (top) or contents (side)) need to be SSL
encrypted. I have no problems in invoking these pages using SSL (within
their respective frame). However, I would like the 'security lock' at the
bottom to be present when the frame (main content frame) is showing a
secured page.

My hunch is that because the other two frames are not SSL (header and
contents) is that the browser is showing only a partially secured (1 out of
3 frames) window. Therefore, the security lock is not present ??? The
individual frame is still using the HTTPS protocol, just not getting a
visual for the user to feel comfortable that the particular frame is
secured..

Anyone know how to get the security lock to show on HTTPS requests within a
particular frame ?


PS... I understand how to use 'user controls' and have used on several
sites. The profile for this particular application at the time it was
written warranted this architecture. I appreciate your help, but if your
help is only to say "Don't use frames..." or "Use user controls
instead..." then don't waste your time keying those stock responses. I
apologize for having to put in this posting (for those that don't deserve to
be informed). I have just reviewed serveral posts on frames within this
newsgroup where the only technical help was to suggest a different
architecture. While it is a consideration to dump one form for another,
many times it is not possible given the breadth of the application,
timeframes, etc. If you do, in fact, have some information that would be
helpful (other than dump the architecture in favor of a different one) then
I certainly would appreciate it... Thanks (in advance) for any help...

 

[Jon Gilbert]

Your hunch is correct: you won't get the browser to show the lock when only
one of your frames is secured. I had the same problem last year. My
suggestion (without trashing your frame-architecture ;-) is to run just the
secured part in a new window (without a toolbar but with a status bar). That
way the secure part of your app is also seen to be secure and you dont have
to rewrite the rest of your site.

The only other alternative is to inform the users, that they are in a secure
part of the site and tell them how to check that (right key / settings /
check for https in the URL)

Hope that helps
Jon

 

[Yan-Hong Huang[MSFT]]

Hello Jamie,

Thanks for posting in the group.

Based on the description, the question is: Now you have a framed page, some
frame is in security zone. However, you like the security lock at the
botton to be shown when the active frame is a secured page. Also, you don't
want to change the frames structure. Please feel free to post here if I
have misunderstood the problem.

I agree with Jon on his opinion. If the secure web page is located inside a
frame, the secure lock will not appear. The Secure Lock indicator is
displayed only if the original HTML document that referenced the frameset
is located on a secure site. There is no good way to change this default
behavior. We need to take workarounds as Jon suggested to notify the web
clients that he is in a security zone.

For an example, in the "What is a secure browser?" part of
http://icmr.icfai.org/FAQ.htm, we can see that:
---------------------------------------
Browsers that support the SSL encryption technology are called secure
browsers. Most Netscape (version 4.7 and later) and Microsoft Internet
Explorer (version 5.5 or later) browsers are secure. Your browser will
automatically enter the secure mode when you make online payment
transactions with ICFAI.

In Netscape browsers, a key or a socket appears in the lower left-hand
corner to indicate the current security mode. When the key appears
unbroken, data sent between your browser and the Web site is secure; if the
key appears broken, the data is being sent unencrypted.

In Microsoft browsers, a lock appears in the lower right hand status bar
during a secure session. No lock is visible during normal unencrypted
sessions.

These symbols may not appear when using HTML frames in the website;
however, any transaction with ICFAI is always secure when sensitive
information is being sent.
......
--------------------------

I think that is the way that is often used to indicate it.

Thanks and please feel free to post here if you have any more concerns.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[JiangZemin]

My hunch is that because the other two frames are not SSL (header and
contents) is that the browser is showing only a partially secured (1 out of
3 frames) window. Therefore, the security lock is not present ??? The
individual frame is still using the HTTPS protocol, just not getting a
visual for the user to feel comfortable that the particular frame is
secured..

Anyone know how to get the security lock to show on HTTPS requests within a
particular frame ?

hi, we have run into same issue.
my suggestion will not solve your problem (as some other posters have
indicated, there is really no way to trick the security lock icon into
appearing), but have you considered using a logo (Google image "Versign.gif"
or "Verisign.jpg") which clearly says something like "Secure Site, click
here to verify"? This will at least make users a little more confident.

HTH

 

[Jamie Dulaney]

Thanks... I have created my own 'security lock' and within my ASP.NET application I now do the following:

Put an 'EncryptImage' control (my own small padlock) on pages which may be set to use SSL. I then put the following code in the page:

EncryptImage.Visible = false;
if (Request.IsSecureConnection == true)
{
EncryptImage.Visible = true;
}
Not the official visual for SSL utilization. But at least the frame does show a 'visual' and I suppose a person can then right click the form to see that it is in fact using the https protocol. I use web.config settings to turn on/off security https (basically what gets prepended to redirects or transfers). That way the site can run in non secure mode (if required) and the above check will alternately not display...

Thanks for your help (and all of you others that have posted a reply)...

 

[Yan-Hong Huang[MSFT]]

Hi Jamie,

I am glad to be of assistance. Thanks very much for sharing your idea in
the community. It could definitely benefit other developers much.

Thanks again for participating the community.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Nick Gilbert]

My suggestion (without trashing your frame-architecture ;-)

My suggestion is to trash your frame-architecture.

No self-respecting website uses frames (name one?). You can achieve much
the same effect as frames by using scrolling DIVs in CSS if you really
need to: <div style="height:100px; overflow: scroll;"> (I think that
syntax is correct - but you might want to check it).

If you don't use frames, your site will be crawlable by search engines
(apart from the SSL pages) and you will be able to book mark all the
pages (instead of only the home page).

Nick Gilbert

 

[Vidar Petursson]

Hi

My suggestion is to trash your frame-architecture.
No self-respecting website uses frames (name one?).

http://msdn.microsoft.com/library/

Frames are not evil and are perfectly reasonable to use in many cases

--
Best Regards
Vidar Petursson
==============================
Microsoft Visual: Scripting MVP 2000-2004
http://www.icysoft.com/
http://www.deus-x.com/ Instant e-commerce
http://www.microsoft.com/technet/scriptcenter/
Playground: http://213.190.104.211/ ( IE 5.5+ only )

No matter where you go there you are
==============================

 

[Nick Gilbert]

http://msdn.microsoft.com/library/

Frames are not evil and are perfectly reasonable to use in many cases

The *very first* link I clicked on doesn't load properly in my browser:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/win2ksignfaq.asp

You'll also notice they've had to code a horrible workaround so that
it's possible to bookmark the pages...

Although you might get away with writing your own homepage or a basic
ASP site, they are a NIGHTMARE to use in ASP.NET on anything more than a
very very basic site. ASP.NET forms do not allow you to change the
action or target of any forms, so you end up writing loads of javascript
and dummy pages to get the other frames to load as expected.

I'm not just saying this - we have tried it and ended up writing the
site again to not use frames. It now looks IDENTICAL to the frames site,
but it works properly in all browsers, is crawlable by search engines,
supports SSL properly, can be bookmarked, and has a nice architecture.
None of this would have been possible using frames with out a LOT of
extra work.

I really recommmend steering well clear of frames when using .NET.
Frames are for people that don't understand how CSS works.

Nick...

 

[Nick Gilbert]

Oops - posted that before I was finished...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/win2ksignfaq.asp

You'll also notice they've had to code a horrible workaround so that
it's possible to bookmark the pages...

You can't link to frames pages either - unless you code a workaround
such as the one Microsoft are using. And if you do code a workaround,
all the links will look as complicated as the one above.

Instead of http://www.domain.com/productname/

you will have http://www.domain.com/?default.aspx?url=productname

People visiting your site from search engines will probably find all the
other frames missing (ie no navigation) - that's assuming the site was
indexable by search engines in the first place. Unlikely...

Note that the Microsoft site is in legacy ASP not .NET. You will not
find a .NET site of any merit, which uses frames. MS also has several
hundred web developers/content authors maintaining microsoft.com - you
many not have enough money to have this many developers working on your
site, so you may want to keep it simple...

Nick...

 

[Awhite]

I'm curious about this post...

I think frames make web development cumbersome, but we have a web site
which does form submits to a frame...

Am I able to do that with DIV tags and CSS?



*** Sent via Devdex http://www.devdex.com ***
Don't just participate in USENET...get rewarded for it!