Transport Layer Security (TLS) is a cryptographic
protocol that allows client-server applications to communicate across
a network in a way designed to prevent eavesdropping and tampering.
Website authors should ensure any sensitive communication is done over
HTTPS, which makes use of the TLS protocol.
However, hosting and renewing certificates requires a little maintenance.
It's often tempting to get lazy about following best practices.
It's important, then, to keep in mind what risks we run if we
don't use encrypted communication. Let's look at a real-world
example of how hackers can take advantage of unencrypted communication
though a man-in-the-middle attack.
Mal is a hacker. Today is his day off from hacking,
but he enjoys his job so much, he has decided to do some recreational
hacking.
Mal takes his laptop to his favorite coffee shop, buys a coffee, and
makes himself comfortable.
The cafe has a free Wi-Fi for its caffeine-swilling patrons, so Mal
knows a lot of people come here with laptops.
Mal lays his trap by setting up his own Wi-Fi hotspot, with an ambiguous
name, hoping to trick people into using it.
His hotspot proxies traffic through to the internet, but he also sets
up a network sniffer so he can inspect any traffic as it passes through.
By the time Mal has finished his coffee he has a
whole file of hacked data. He disconnects his hotspot and heads out
without anyone being any the wiser.
Stan is a customer. He has had a hard day getting pwned
at work, and needs a coffee to unwind.
He connects to a likely looking hotspot, not knowing that Mal
is watching his every move.
Stan is perfectly safe when he visits sites that implement HTTPS.
Everything except the domain of the site is encrypted in the HTTP
packets.
However, any time Stan visits a site that doesn't use encryption,
Mal can see the conversation. Mal happily starts recording unsecured
credentials and other sensitive information.
