Let's say that you enter your login credentials via a form, and that form is served on a page that is not SSL-protected....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Assuming that your PC is free of keylogger malware, the data will remain on your computer until you click the "submit" button. So far, so good. If the form data is posted to a page that begins "HTTPS," the browser will attempt to establish an SSL connection with the server named in the form's action URL; the connection will take place over port 443.
If a secure connection is made, the data will be encrypted and transmitted to the server; otherwise no data is sent. Still sounds safe and secure, right? Unfortunately, there is a serious problem here.
How do you know if you're on the real Web site? If the login form is delivered via HTTP, there's no guarantee that a variety of known attacks hasn't affected the data as it traveled between the server and the client. When transmitting data in a form that is not SSL-protected, you cannot be certain as to where the data is being sent. If you can't be sure which Web site you're really on, it doesn't matter if the data being sent is encrypted. Hackers can substitute a false login page or launch a man-in-the-middle attack and simply retarget the POST command, submitting it to an HTTPS site that they control.
The SSL protocol provides encryption and authentication services, but if a form is not SSL-protected, the site can't be authenticated until after the data has been sent. So even though your data is encrypted, there's no way to know who you're really giving it to.
While a Web page will load more quickly if it is not SSL-protected, and SSL encryption can be costly for high-traffic sites that use HTTPS, there is still no excuse for abandoning good security practices. Many Web surfers know to look for the padlock symbol, a visual representation that the page is SSL-encrypted. Before providing any sensitive information, users can then verify that they're at the correct site, checking the site's security certificate to see the organization's name and who issued the cert. The Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock when accepting user credentials. By not using SSL, sites are undoing the industry's security awareness efforts.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how ...continue reading
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.