Okay, this is probably quite basic, but the implications are important to me in this phase of development. I am thankful for any input and discussion.
The data in this example are not protected using SSL encryption.
page1.php/asp contains a form which POSTs the variables username and password to page2.php/asp.
- Can ANYONE from ANYWHERE intercept my POST data just by listening for it, perhaps with some third party software like Firesheep?
If the above question renders TRUE:
- Should I always consider my unencrypted POST data freely available for anyone?
- Are the standard login form on my site just a ploy to depict a layer of security that’s not even there?
- Should I then consider the login feature just as a way for me to personalize the user experience?
- Does it make sense to encourage the user NOT to use his or her normal (assumed safer) password, since it won’t be protected during their registration and login procedures?
I ponder these issues, I appreciate any input and feedback.
No, the traffic has to pass near them.
It doesn’t, but even so.
Unless it only travels across a LAN, then yes. If it does only travel across a LAN then add the qualifier “on that LAN” and the answer will be yes.
No
Certainly you shouldn’t do anything serious without encryption.
It would make sense to do so for any system. Even if the communication was secure, your server could be compromised in the future, or a third party system could be and then the data there used to attack your system.