Menu
As a user of web applications, I tend to only sign up for services that use SSL secured login forms. As a developer, I know the risk is that non SSL forms are transmitted in plain-text and an unscrupulous individual could "sniff" the HTTP traffic and ascertain my login and password.
However, what is the true risk or possibility of this happening if I'm say, at home, on my DSL or Cable internet connection? Where would the packet sniffer need to be running? Could packets be sniffed at any point back to the server? Is it easier to "sniff packets" in a corporate network with a larger LAN, as opposed to being at home?
I've developed web applications for quite a while, but I've never truly understood this. I would love to get some clarification on this.
Thanks.
656
If you do not have an SSL certificate on your website, then all the confidential information on your site might be accessed by hackers. This may lead to leakage of personal data of your customers, including payment details which may be compromised.
Without SSL, your site visitors and customers are at higher risk of being having their data stolen. Your site security is also at risk without encryption. SSL protects website from phishing scams, data breaches, and many other threats. Ultimately, It builds a secure environment for both visitors and site owners.
Why HTTPS? The problem is that HTTP data is not encrypted, so can be intercepted by third parties to gather data passed between the two systems. This can be addressed by using a secure version called HTTPS, where the S stands for Secure.
The risk of your traffic being sniffed on a node between your ISP and the destination is remote. You would be one amongst millions and it takes a non-trivial amount of processing power at that level to perform packet inspection to identify packets carrying login information.
The real risk is at local network, as it has been pointed out. The 2 most common scenarios are:
An infected computer or malicious user employs tricks like ARP poisoning to sniff all unencrypted traffic. ARP poisoning is fairly unnoticeable on low traffic networks. On high traffic networks it will cause noticeable performance degradation and probability of detection increases. The effectiveness of ARP poisoning maybe reduced by diligent network partitioning.
Someone has control of the gateway. This is probably the worst scenario, as all internet traffic passes through the gateway. Depending on how clever the attacker is, this can be very difficult to detect.
SSL guards against sniffing, and it has another advantage you might not be aware of: SSL allows you be sure the entity receiving your passwords and other details is who you think it is.
If say you were victim of DNS poisoning where someone redirects you to a malicious site which looks exactly like the legitimate website, you would have no way of knowing. With SSL you would get a warning/error that the site does not have a valid certificate which would alert you that all is not as it should be.
Personally I tailor my passwords to whether or not information travels over HTTPS. I do this because it is inevitable that eventually I will need login over HTTP on a untrusted network.
57
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
