Step 1: What’s the Worst that Could Happen?

What happens when a connection is not confidential?
•Someone can capture, search and read all of the text and images on all of web-pages you get from websites.
•Someone can capture, search and read all of the text and images that you upload and send to websites.
What happens when the website you’re visiting is not authenticated?
•A malicious person could intercept your encrypted web traffic by masquerading as a trusted server.
So what’s the worst that could happen?
•Someone could passively or actively collect, read, publish or sell information contained in or attached to all of your sent and received emails if you’re connecting with HTTP.
•Someone could passively or actively collect your passwords and account information sent via HTTP, use them now or later to “pwn” your account, download your personal information (or that of your contacts), attempt to pwn your other accounts, sell your account information and data Online.
•Someone could masquerade as HTTPS-protected website and trick you into sharing sensitive information.

1. Using a public access point or an Internet café, you log into a web service that is not protected by HTTPS. Someone on the same network is running Wireshark and sees your username and password as they travel up to the website. The hacker takes the opportunity to log in as you, changing your password and pwning your account.
   
2. Your email service provider encrypts your login using SSL (HTTPS), but removes that protection after you have logged in. Government authorities have tapped into the connection at your local service provider or elsewhere, capturing all the traffic and can read the messages you write or receive. The NSA’s XKeyscore system is one example of massive network surveillance that scoops up Internet traffic for analysis.
   
3. You visit your bank’s website using https://. As the page loads, you see a certificate error. This is unusual, but you decide to click through anyway and arrive on a page that appears to be authentic. You enter your login information for your account. Later, however, you find out that a malicious organization was running a “man in the middle attack” to capture login credentials of users before sending them to the real bank site. With your information, they can now login to steal your money or they can sell your login details to criminals who will.
   
   The purpose of this exercise is to illustrate how the HTTPS Everywhere plug-in can help protect user network connections. This tool directs a browser to use SSL connections over HTTPS, either when an SSL version of a website is available or when the website has been included in the pre-populated list that HTTPS Everywhere’s developers update regularly.