Let's say that you enter your login credentials via a form, and that form is served on a page that is not SSL-protected....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Assuming that your PC is free of keylogger malware, the data will remain on your computer until you click the "submit" button. So far, so good. If the form data is posted to a page that begins "HTTPS," the browser will attempt to establish an SSL connection with the server named in the form's action URL; the connection will take place over port 443.
If a secure connection is made, the data will be encrypted and transmitted to the server; otherwise no data is sent. Still sounds safe and secure, right? Unfortunately, there is a serious problem here.
How do you know if you're on the real Web site? If the login form is delivered via HTTP, there's no guarantee that a variety of known attacks hasn't affected the data as it traveled between the server and the client. When transmitting data in a form that is not SSL-protected, you cannot be certain as to where the data is being sent. If you can't be sure which Web site you're really on, it doesn't matter if the data being sent is encrypted. Hackers can substitute a false login page or launch a man-in-the-middle attack and simply retarget the POST command, submitting it to an HTTPS site that they control.
The SSL protocol provides encryption and authentication services, but if a form is not SSL-protected, the site can't be authenticated until after the data has been sent. So even though your data is encrypted, there's no way to know who you're really giving it to.
While a Web page will load more quickly if it is not SSL-protected, and SSL encryption can be costly for high-traffic sites that use HTTPS, there is still no excuse for abandoning good security practices. Many Web surfers know to look for the padlock symbol, a visual representation that the page is SSL-encrypted. Before providing any sensitive information, users can then verify that they're at the correct site, checking the site's security certificate to see the organization's name and who issued the cert. The Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock when accepting user credentials. By not using SSL, sites are undoing the industry's security awareness efforts.
Dig Deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
Is cookie encryption enough to protect sensitive information? Expert Michael Cobb explains how salted hashes can prevent attacks, and the secure way ...continue reading
A vulnerability was found in the Blackphone's Icera modem. Expert Michael Cobb explains how attackers could hijack the device, and if this would ...continue reading
Oracle is killing off the Java browser plug-in due to security risks. Expert Michael Cobb explains the next steps for enterprises with Java-based ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.