Using the AJAX popup (or iframe) that goes (in theory) to https:// on the http:// page presents two problems:
- An attacker can intercept the page and replace the link with his own.
- This does not allow the user to check which site he is connected to.
The first problem is related to this issue (not relevant to AJAX pop-ups, but in order to have a login page via simple HTTP, it is also discussed on Security.SE ). This contradicts this OWASP recommendation :
The login page and all subsequent authenticated pages must have exclusive access to TLS. The login login page, called the "login landing page" must be served through TLS. Failure to use TLS for the landing page allows an attacker to change the login form, as a result of which user credentials will be sent to an arbitrary location.
In fact, MITM can change the page that you use on the server in the login field to replace it with your own: the user will not be able to notice the difference (at least until it is too late).
The second problem is that itโs actually good to see what you have connected (as well as connected to the next step) to the website that you want in the address bar. Anyone can have a valid https:// site: mybank.example.com and attackers.example.com can have a valid certificate issued by a trusted authority. If I connect to my bank, I want to know it in my bank, I am connected via HTTPS. Sending credentials to the https:// site from a popup or iframe hides the real target site.
This problem can also occur when the start page is served via HTTPS, which, unfortunately, is demonstrated by the 3-D Secure system (these people should know better, really!).
In short, do not use an iframe or popup and follow the page where you submit the login form via HTTPS.
Bruno source share