Timeline for How does collecting sensitive data using iframes increase security?
Current License: CC BY-SA 4.0
4 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 24, 2021 at 8:27 | comment | added | Acorn | @reed aha this is interesting. So it serves as a way to make it easier to audit what a website is doing with the data? I was looking at it from the perspective of a compromised website.. a user is very unlikely to right click on a form to check that it is in an iframe. But if we're just wanting to make it clearer that the data is only going to one destination under normal conditions, then a iframe does make that easier.. | |
| Apr 24, 2021 at 2:21 | comment | added | Zach Lipton | @Acorn The iframe approach protects against a number of bad things, including the possibility that the merchant will indefinitely store all their customers' unencrypted credit card information in a publicly accessible database, which is the sort of thing that used to happen alarmingly often. It does not protect against the case where the merchant's entire site exists to gobble up credit card information and send it to attackers (either because the site is a trojan horse or it's been compromised), but the protection of the merchant never accessing the data still reduces the attack surface. | |
| Apr 22, 2021 at 18:11 | comment | added | Acorn | I guess my question is, if you can do nothing to protect data on a website if it is infected, then why go through all the trouble of writing javascript SDKs that insert iframes into a page? How much of it is because that's the PCI hoop we need to jump through, and how much does it actually protect the data? | |
| Apr 22, 2021 at 17:49 | history | answered | reed | CC BY-SA 4.0 |