When the browser is sending and receiving sensitive data from web application over an insecure communication channel, anyone who listens to this channel can hijack that data( for example, in public places ). So it is important to establish a secure communication channel and configure in such a way that it works as expected.
Difference between HTTP and HTTPS
As you know, there are 2 possible cases while the browser is communicating with the web application. In the first case data is sent through HTTP ( Hypertext Transfer Protocol ), in the second case HTTPS ( Hypertext Transfer Protocol Secure ). When you send data over HTTP, it is not secured like HTTPS which guarantees the confidentiality of communication. In contrast to HTPP, HTTPS uses such security technologies as Transport Layer Security (TLS) or Secure Sockets Layer (SSL) in order to encrypt communication channel. In other words: HTPPS = + HTTP + SSL/TLS. So to avoid attackers reading sensitive data, you should always prefer HTTPS protocol over using HTTP.
In https://hack-yourself-first.com/ (this is a special website for web penetrating purposes) after registration lets go to the login page. Here before entering your credentials open “Inspect element “ tool of your browser. Then, open network tab which displays all requests you made. After, that enter your credential and press login button. In network tab open top request. In the right side you ‘ll see params(parameters) tab which displays credentials you have just entered:
You sent request over insecure HTTP. If the attacker eavesdroppers on communication channel between the web application and the browser, he can easily read these credentials, and use it for malicious purposes.
Problems with Transport Layer Protection
There are the different types of problems with Transport Layer Protection. One of them f problem is insecure protocols ( for example, SSL 3 ). If this protocol is supported, POODLE attack can be used by attackers in order to gain access to the sensitive data that should be protected by SSL 3. Some other problems with Transport Layer Protection are insecure cipher suites and vulnerabilities in crypto libraries . For example, “Heartbleed” vulnerability allows the attacker to read the memory of the web server.