Transport Layer Security (TLS) is a cryptographic protocol that allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.
Website authors should ensure any sensitive communication is done over HTTPS, which makes use of the TLS protocol.
However, hosting and renewing certificates requires a little maintenance. It's often tempting to get lazy about following best practices.
It's important, then, to keep in mind what risks we run if we don't use encrypted communication. Let's look at a real-world example of how hackers can take advantage of unencrypted communication though a man-in-the-middle attack.
Mal is a hacker. Today is his day off from hacking, but he enjoys his job so much, he has decided to do some recreational hacking.
Mal takes his laptop to his favorite coffee shop, buys a coffee, and makes himself comfortable.
The cafe has a free Wi-Fi for its caffeine-swilling patrons, so Mal knows a lot of people come here with laptops.
Mal lays his trap by setting up his own Wi-Fi hotspot, with an ambiguous name, hoping to trick people into using it.
His hotspot proxies traffic through to the internet, but he also sets up a network sniffer so he can inspect any traffic as it passes through.
By the time Mal has finished his coffee he has a whole file of hacked data. He disconnects his hotspot and heads out without anyone being any the wiser.
Stan is a customer. He has had a hard day getting pwned at work, and needs a coffee to unwind.
He connects to a likely looking hotspot, not knowing that Mal is watching his every move.
Stan is perfectly safe when he visits sites that implement HTTPS. Everything except the domain of the site is encrypted in the HTTP packets.
However, any time Stan visits a site that doesn't use encryption, Mal can see the conversation. Mal happily starts recording unsecured credentials and other sensitive information.