Let's say that you enter your login credentials via a form, and that form is served on a page that is not SSL-protected. Assuming that your PC is free of keylogger malware, the data will remain on your computer until you click the "submit" button. So far, so good. If the form data is posted to a page that begins "HTTPS," the browser will attempt to establish an SSL connection with the server named in the form's action URL; the connection will take place over port 443.
If a secure connection is made, the data will be encrypted and transmitted to the server; otherwise no data is sent. Still sounds safe and secure, right? Unfortunately, there is a serious problem here.
How do you know if you're on the real Web site? If the login form is delivered via HTTP, there's no guarantee that a variety of known attacks hasn't affected the data as it traveled between the server and the client. When transmitting data in a form that is not SSL-protected, you cannot be certain as to where the data is being sent. If you can't be sure which Web site you're really on, it doesn't matter if the data being sent is encrypted. Hackers can substitute a false login page or launch a man-in-the-middle attack and simply retarget the POST command, submitting it to an HTTPS site that they control.
The SSL protocol provides encryption and authentication services, but if a form is not SSL-protected, the site can't be authenticated until after the data has been sent. So even though your data is encrypted, there's no way to know who you're really giving it to.
While a Web page will load more quickly if it is not SSL-protected, and SSL encryption can be costly for high-traffic sites that use HTTPS, there is still no excuse for abandoning good security practices. Many Web surfers know to look for the padlock symbol, a visual representation that the page is SSL-encrypted. Before providing any sensitive information, users can then verify that they're at the correct site, checking the site's security certificate to see the organization's name and who issued the cert. The Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock when accepting user credentials. By not using SSL, sites are undoing the industry's security awareness efforts.
This was first published in July 2007