I've come across a medical provider website that serves its pages over aspx. This provider has new client forms within this same aspx page. I contacted the vendor that built the website asking why they aren't using https. They assured me they are using https encryption within the iframes.
My question: Is this response total BS?
It seems to me that a very simple way to hack this website would be to spoof the site using my own aspx page that redirects over to me. Without https, the browser has no idea of the security, so nobody would be able to tell if they were on my website or the actual one.
This is all HIPAA protected info (in the US) that's transmitted, so there are laws about how it must be protected. It seems that the contractor is being pretty negligent, but maybe I'm missing something.
FYI, I'm not posting the website on purpose because I don't want to invite hacking something I think is insecure.
Without knowing how the iframes are used, it's hard to assess the security issues the site may have.
But it sounds like they may gather the new clients info on insecure forms and then posting them to an https endpoint. As Troy Hunt explains in this article, this is not a secure practice.
Obviously as you already allude to, without https, a man-in-the-middle attack could easily post the complete form to an attacker site without the user knowing as the integrity and/or origin of the page are not guaranteed.
Even if they are serving the form in an iframe over https, if the containing page is served over http, the iframe can be replaced by a MiM attack.