Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure iframe on unsecure page in a different domain

Our company is looking into allowing third party sites to use our online checkout system.

A client has stated that they would like to be able to use a lightbox style popup to display the checkout. And they would like this to be available on every page of the site, therefore mostly unsecure pages. Our checkout system and the client site are obviously on different domains.

I'm guessing that I could use a secure iframe (using https) to display our checkout system.

Would this iframe actually be secure?

Is the a sensible thing to do? (my gut says no, as how can the user tell the page is secure)

Are there any better ways to achieve this same functionality?

like image 709
Karl Avatar asked Oct 23 '08 13:10

Karl


2 Answers

Yes, the iframe would be secure, but you're correct that the customer wouldn't actually be able to tell that it's secure. On the other hand, most users can't tell if a page is secure anyway - a few images of padlocks scattered around will convince most of them.

Could you, when they click to pop out the checkout, send them to the same url under HTTPS then pop it out (you'd need your own SSL certificate of course)?

like image 134
Greg Avatar answered Oct 31 '22 12:10

Greg


Have you seen how other similar checkout systems work? For example the paypal checkout on ebay? They take you trough the checkout process "full screen" and back to the original site when the transaction is complete.

like image 39
thijs Avatar answered Oct 31 '22 12:10

thijs