Using an AJAX pop-up (or an iframe) that goes (in theory) to https://
on an http://
page presents two problems:
- An attacker could intercept the page and replace the link with his own.
- This prevents the user from checking to which site it's connected to.
The 1st problem is related to this question (not specific to AJAX pop-ups, but for having the login page over plain HTTP, also discussed on Security.SE). This goes against this OWASP recommendation:
The login page and all subsequent authenticated pages must be
exclusively accessed over TLS. The initial login page, referred to as
the "login landing page", must be served over TLS. Failure to utilize
TLS for the login landing page allows an attacker to modify the login
form action, causing the user's credentials to be posted to an
arbitrary location.
Essentially, a MITM could modify the page you use to server that login box to replace it with their own: the user wouldn't be able to notice the difference (at least until it's too late).
The 2nd problem is that it's actually a good thing to see you have connected (and also about to connect for the next step) to the website you want in the address bar. Anyone can have a valid https://
site: mybank.example.com
and attackers.example.com
could both have a valid certificate issued by a trusted authority.
If I connect to my bank, I want to know it's to my bank I'm connected over HTTPS. Sending credentials to a https://
site from a popup or an iframe hides the real target website.
This problem can also happen when the initial page is served over HTTPS, as unfortunately demonstrated by the 3-D Secure system (these people should know better, really!).
In short, don't use an iframe or a popup, and do serve the page where you present the login form over HTTPS.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…