Let's say that you enter your login credentials via a form, and that form is served on a page that is not SSL-protected....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Assuming that your PC is free of keylogger malware, the data will remain on your computer until you click the "submit" button. So far, so good. If the form data is posted to a page that begins "HTTPS," the browser will attempt to establish an SSL connection with the server named in the form's action URL; the connection will take place over port 443.
If a secure connection is made, the data will be encrypted and transmitted to the server; otherwise no data is sent. Still sounds safe and secure, right? Unfortunately, there is a serious problem here.
How do you know if you're on the real Web site? If the login form is delivered via HTTP, there's no guarantee that a variety of known attacks hasn't affected the data as it traveled between the server and the client. When transmitting data in a form that is not SSL-protected, you cannot be certain as to where the data is being sent. If you can't be sure which Web site you're really on, it doesn't matter if the data being sent is encrypted. Hackers can substitute a false login page or launch a man-in-the-middle attack and simply retarget the POST command, submitting it to an HTTPS site that they control.
The SSL protocol provides encryption and authentication services, but if a form is not SSL-protected, the site can't be authenticated until after the data has been sent. So even though your data is encrypted, there's no way to know who you're really giving it to.
While a Web page will load more quickly if it is not SSL-protected, and SSL encryption can be costly for high-traffic sites that use HTTPS, there is still no excuse for abandoning good security practices. Many Web surfers know to look for the padlock symbol, a visual representation that the page is SSL-encrypted. Before providing any sensitive information, users can then verify that they're at the correct site, checking the site's security certificate to see the organization's name and who issued the cert. The Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock when accepting user credentials. By not using SSL, sites are undoing the industry's security awareness efforts.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.