Let's say that you enter your login credentials via a form, and that form is served on a page that is not SSL-protected. Assuming that your PC is free of keylogger malware, the data will remain on your computer until you click the "submit" button. So far, so good. If the form data is posted to a page that begins "HTTPS," the browser will attempt to establish an SSL connection with the server named in the form's action URL; the connection...
will take place over port 443.
If a secure connection is made, the data will be encrypted and transmitted to the server; otherwise no data is sent. Still sounds safe and secure, right? Unfortunately, there is a serious problem here.
How do you know if you're on the real Web site? If the login form is delivered via HTTP, there's no guarantee that a variety of known attacks hasn't affected the data as it traveled between the server and the client. When transmitting data in a form that is not SSL-protected, you cannot be certain as to where the data is being sent. If you can't be sure which Web site you're really on, it doesn't matter if the data being sent is encrypted. Hackers can substitute a false login page or launch a man-in-the-middle attack and simply retarget the POST command, submitting it to an HTTPS site that they control.
The SSL protocol provides encryption and authentication services, but if a form is not SSL-protected, the site can't be authenticated until after the data has been sent. So even though your data is encrypted, there's no way to know who you're really giving it to.
While a Web page will load more quickly if it is not SSL-protected, and SSL encryption can be costly for high-traffic sites that use HTTPS, there is still no excuse for abandoning good security practices. Many Web surfers know to look for the padlock symbol, a visual representation that the page is SSL-encrypted. Before providing any sensitive information, users can then verify that they're at the correct site, checking the site's security certificate to see the organization's name and who issued the cert. The Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock when accepting user credentials. By not using SSL, sites are undoing the industry's security awareness efforts.
Related Q&A from Michael Cobb
A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb ...continue reading
Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb ...continue reading
Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.