SSL and HTML Frames -- iis security

jaggei
1/5/2006 9:16:02 AM

I have a web site which uses HTML frameset.Aspx pages areloaded into these
frames. I want to use SSL on certain pages in this site. I Assigned a server
certificate(issued by Microsoft CA Services) on this web site. I enabled file
security for those pages in the site.Now when I navigate to the secured page
the padlock doesn't appearin status bar.But when i right click on the page
and see properties,it shows https protocol is being used. If I enable SSL for
the entire site, padlock is showed constantly.
What is the reason for this behaviour with padlock.Is SSL working fine when
enabled at page level. Can any body suggest how to rectify padlock behaviour.
Thanks

Miha Pihler [MVP]
1/5/2006 6:24:08 PM

Hi,

My guess is that is because of frames. It would not be good to show the
padlock when you have a page with frames where one frame is SSL protected
and the other one is not. This could cause a lot of security problems...
That is why IE only shows padlock when whole page is secured.

Still SSL is established between that page and IIS server (and not the other
frames).

I am not aware of any easy way to fixing this besides getting rid of frames
when user clicks on SSL link (https) (e.g. as much on-line shopping that I
do I am not aware of any site that would use frames (e.g. VerSign, Thawte,
Amazon, .)). I believe this will get even more obvious with IE7.

--
Mike
Microsoft MVP - Windows Security

[quoted text, click to view]

iis security : SSL and HTML Frames