jeffhex

June 25, 2010 at 4:46am

I think I may be able to justify this, and I do not believe it is over-the-top or breaks the web.

https - secure HTML - provides encryption and authentication between the end points of the web based connection. Encryption means that the data being sent and received is scrambled from prying eyes, and authentication means that you are certain of with whom you are communicating.

These cases are not (as often) relevant over a wired connection, but when using open Wifi (like at Panera, Starbucks, McDonalds, hotels, and lots of other places) it is way too easy for someone to sniff user names, passwords, credit card numbers, and other account information right out of the wireless broadcast. It is significantly more difficult with the encryption that https provide.

The same holds true for uncontrolled wired connections. If you've ever plugged a laptop in a hotel room's ethernet and looked at your network neigborhood to notice who left file sharing turned on and their firewall turned off, you'll get an idea of how easy it is to set yourself up as a "man-in-the-middle" and sniff all those users traffic right off the wire.

Side note: It is possible for governments to obtain security certificates allowing them to appear as the authentic website you are trying to access, and thereby convince you that you are securely connected and authenticated to the place you want when they are actually able to decrypt all your information AND YOU WOULD NOT KNOW THIS. But as far as I know, individuals cannot YET do this.

For more information, I'd suggest the excellent Security Now! podcast by Steve Gibson. You can google for it.

 

-Jeff Hexter