Let me show you a little example using a online payment system that most are probably familiar with - Paypal. I'm not singling these guys out it will happen with any so called secure site that you care to mention - but it's one of the scarier as many of us have bank cards linked directly to our accounts.
Is My Account Secure if I use Secure Sites (SSL)?
First of all I want to show you how many places have the possibility of intercepting your data when you login in to Paypal. It's the very nature of the way the internet work that all your data flies across a huge array of shared hardware that makes up the infrastructure of the internet. If you want to see the route your request will travel to a particular website you can use the tracert command in Windows. Just select the command prompt and type the following
This will show you the route all your requests will take to the paypal server.
Here's the route my requests will take starting off from my router, next to my ISP then along a series of routers and switches until it reaches the Paypal web servers. Any of these points has complete access to all my data and it will probably be logged at most of these points along the way. Of course you can add to this list anybody who is deliberately intercepting your traffic from any of these locations too.
Now normal web requests are serviced using HTTP which is a basic clear text protocol, it's fast and efficient but anyone who has access to this data can view all of it. This complete lack of security is why SSL was invented to add a layer of encryption to web requests for important transactions like logging in to a web based payment system like Paypal or logging in to your bank account and stuff like that.
So let me show you the problem with SSL security as I login in to Paypal -
You can see at the top that this is a secure web page protected by SSL - the address starts HTTPS which means that when I login all my details are encrypted including my username and password. That's great then, nothing to worry about, or is there?
Next I want to introduce you to a little program called a SSL sniffer made by a company called Komodia. You can download it for free at this address - Komodia Sniffer. This program not only can sit and sniff all the data sent and received by any process (in this case it will be Firefox) but it also can decrypt the data as well. It takes about a minute to set it up and requires no real technical skill.
So here's what I see after I login to my Paypal account with Komodia SSL Digestor running in the background.
Now you'll have to try this for yourself or take my word for it, but listed in the data is my Paypal login name and the password. I've obviously blanked this out but I can assure you it was completely decrypted and readable. The SSL digestor actually decrypts the traffic on the fly, so anyone has the potential to harvest usernames and passwords for any accounts on the internet using this and tools like it.
Now don't get me wrong I use a VPN to UK all the time to watch my favorite shows on the BBC Iplayer just like this. But don't forget about the security aspect, if you've invested in a subscription to a proper security product like Identity Cloaker don't just use it for watching BBC Iplayer overseas - protect your connection too!