okay all you frame lovers ! and anyone else ofcourse.

I just came across this site (URL witheld), that uses frames.
They are selling this book and for fun I click on the 'buy now' button.

A new 'inner page' comes up with a standard form for paypal. It has all the usual stuff, name, address and then I see 'credit card no.'

Well I look around and see no padlock or https !!

ahhh, okay, I just right-clicked the 'inner page' and it is being called straight from paypal and it is secured.

okay, so Im assuming that even though the outer page is not SSL encrypted that the transaction will be ??

still though, people are savvy enough now to look for https and the padlock, no? shouldn't this site owner secure the entire page, just to give people peace of mind ??

comments, experiences ??

IMHO they should secure the entire page... but then again, I'm not a fan of frames, heh

I think this is in the wrong topic category ;)

they should secure the entire page
that's what I'm thinking


I think this is in the wrong topic category
really ? well, it's an e-commerce issue, isn't it ?
where should it be ?

Yes, you are correct - ecommerce issue... Notice the time I posted that? hehe... I was sleepy...

... I was sleepy
I hear you me too !

Well I look around and see no padlock or https !!

still though, people are savvy enough now to look for https and the padlock, no? shouldn't this site owner secure the entire page, just to give people peace of mind ??


Cyanide
I'm glad the little gold lock makes you happy but, don't rely on it to make you secure. SSL only encrypts data in transit on the Internet and nothing else! An in-transit hack is very unlikely, SSL certificates can be faked, SSL certificates can allow unsigned code to run as trusted code, and more often than not an SSL certificate is for the box hosting the website, not the website itself.

Much more important when shopping at an Internet store is to know what security measures the host takes to protect your information.

Hello,

A solution we offer to our "frame design" clients is to make the product post to a new browser window.

This way the lock/key will show the page as secure.

Frames should not be used for ecommerce designs as you described.. the url is not SSL enabled unless the entire URL is https: at all times.

http://www.securecart.com

From what I've observed of most e-commerce sites, if SSL is used and you've selected a "buy me" control it should come up with a warning panel telling you you are opening a new browser with a secure connection and ask if you wish to proceed.

Once in you should have the padlock you desire

I'm glad the little gold lock makes you happy but, don't rely on it to make you secure. SSL only encrypts data in transit on the Internet and nothing else! An in-transit hack is very unlikely, SSL certificates can be faked, SSL certificates can allow unsigned code to run as trusted code, and more often than not an SSL certificate is for the box hosting the website, not the website itself.You are 100% correct. But the problem is that the average surfer has the impression that the little gold lock means secure so you will lose orders if it is not showing.

The only way to get the little gold lock to show with frames is to have the entire frameset downloaded via SSL, not just the child frames.

My webpage has frames and everything (I guess), comes from an SSL conection, but the there isn't a "lock".
Am I doing something wrong?

Best regards

Marco

For the SSL "Secure" lock to become visible, every element on the page must be served with the "https://" protocol otherwise you won't see the lock icon or, you may see an apostrophe indicating a "mixed content" error message.

There are a few possible solutions to this problem.

1) Reload the current frameset under the "https://" instead of "http://" protocol.
2) Open the secured pages in a new window.
3) Store your shopping cart in a secured folder and run it from there.

Note:
To secure your shopping pages, checkout pages and any forms, it's wise to implement a script that senses tht the secured protocol is being used, not only by monitoring the address bar but by checking for the presence of secure server requests. Once set up, the page is automatically reloaded and the URL corrected under the secure protocol when the script detects that the url string doesn't contain "https://" or if it finds that secure server requests are not being used.

This requires some coding skills and the ability to run a script language on your server but when set up, it's pretty slick.

Some might feel that SSL security isn't an issue, however it does build site trust and help establish credibility, both of which tend to be extremely important in the conversion process.

.02

I agree with Islands, it's all about the company that you're dealing with. See if they have phone numbers, some sort of address, check the whois, and the BBB. Honestly with the frames I'd be a little weary my self :-).