- Using a public access point or an Internet café, you log into a web service that is not protected by HTTPS. Someone on the same network is running Wireshark and sees your username and password as they travel up to the website. The hacker takes the opportunity to log in as you, changing your password and pwning your account.
- Your email service provider encrypts your login using SSL (HTTPS), but removes that protection after you have logged in. Government authorities have tapped into the connection at your local service provider or elsewhere, capturing all the traffic and can read the messages you write or receive. The NSA’s XKeyscore system is one example of massive network surveillance that scoops up Internet traffic for analysis.
- You visit your bank’s website using https://. As the page loads, you see a certificate error. This is unusual, but you decide to click through anyway and arrive on a page that appears to be authentic. You enter your login information for your account. Later, however, you find out that a malicious organization was running a “man in the middle attack” to capture login credentials of users before sending them to the real bank site. With your information, they can now login to steal your money or they can sell your login details to criminals who will.
The purpose of this exercise is to illustrate how the HTTPS Everywhere plug-in can help protect user network connections. This tool directs a browser to use SSL connections over HTTPS, either when an SSL version of a website is available or when the website has been included in the pre-populated list that HTTPS Everywhere’s developers update regularly.
Related
