Unsecured Websites: Risks Beyond Passwords

TL;DR

Websites without SSL (HTTPS) aren’t just risky for passwords. They expose all your data, making you vulnerable to eavesdropping and tampering. Use a browser extension like HTTPS Everywhere and avoid entering sensitive information on non-secure sites.

Understanding the Risks

You’re right to be concerned about websites that don’t use SSL/TLS (indicated by ‘HTTPS’ in your address bar and a padlock icon). While plain-text passwords are a major issue, the dangers go much further. SSL encrypts all communication between your computer and the website server.

What Data is at Risk?

1. Passwords: As you mentioned, anyone intercepting the data can see your password as it’s sent to the site.
2. Personal Information: This includes names, addresses, phone numbers, dates of birth – anything you type into forms.
3. Financial Details: Credit card numbers, bank account details are particularly sensitive and valuable targets.
4. Cookies: These small files store information about your browsing session. They can be used to track you across the web or hijack your accounts if they aren’t protected.
5. Browsing History: An attacker could see which pages you visit on that site, revealing your interests and potentially identifying you.
6. Search Queries: If you use a search function on the website, those queries are also sent in plain text.

How Data is Intercepted

Several methods can be used to intercept your data:

• Public Wi-Fi: Unsecured public networks are prime locations for ‘man-in-the-middle’ attacks, where an attacker intercepts traffic between you and the website.
• Compromised Routers: If a router on your network is compromised, it can redirect your traffic to malicious servers.
• Malicious Software: Malware on your computer could monitor your network activity and steal data before it’s encrypted (or even after if SSL isn’t used).

What Can You Do?

1. Check the Address Bar: Always look for ‘HTTPS’ and the padlock icon. If you see a warning about an insecure connection, proceed with extreme caution.
2. Use HTTPS Everywhere: This browser extension automatically switches connections to HTTPS where possible. You can download it from EFF’s website.
3. Avoid Sensitive Information: Don’t enter passwords, financial details, or personal information on websites that don’t use SSL.
4. Look for Trust Seals: While not foolproof, trust seals from reputable security companies can indicate a site takes security seriously (but verify the seal if possible).
5. Keep Your Software Updated: Regularly update your browser, operating system, and antivirus software to protect against vulnerabilities.
6. Use a VPN: A Virtual Private Network encrypts all your internet traffic, adding an extra layer of security, especially on public Wi-Fi.

Checking SSL Certificate Details

You can view the details of a website’s SSL certificate by clicking on the padlock icon in your browser address bar and selecting ‘Certificate’. This will show you information about the issuing authority, validity period, and other important details.

Command Line Example (Checking Certificate Validity)

You can use OpenSSL from the command line to check a certificate’s validity. Replace example.com with the website address:

openssl s_client -connect example.com:443

This will output detailed information about the SSL certificate, including its expiration date.