SSL stands for Secure Socket Layer protocol and was created by Netscape to ensure secure transactions between web servers and browsers.
In a nutshell, it uses a third party, a Certificate Authority (CA), to identify one end or both ends of the transaction.
So the question has to be asked, if it is easy for some extension applications to access people’s data when on a website that doesn’t use SSL, why sites don’t use SSL for all their pages?
Well, the answer is that in the past it’s come down to a matter of computing resources.
Encrypting all traffic to and from your server takes a lot of processing power which for many sites would require extra hardware resources and therefore more cost. Plus it would also have an impact on the visitors’ browser because that will have to do more work when receiving SSL pages. This obviously has a knock on effect for low powered clients like mobile phones.
But more recently both server and client side computing power has increased which means more sites are now able to use SSL. This includes pretty much all the major webmail providers.
However there are still many popular sites that don’t use it – Facebook and Amazon to name but two. Mind you when using Amazon you do have to re-enter your password before you can actually buy any products or change shipping address so an attacker is unlikely to be able to do anything nasty even if they did manage to hijack your session with amazon.
But for sites without SSL or the re-entering your password method are still vulnerable. If someone impersonates you on Facebook they could download all your contacts and send them messages pretending they are coming from you, change your details, view all your pictures and even change your privacy settings without you realising it.
At the end of the day, if the site you’re visiting shows http:// rather than https:// in the address bar, you’re potentially vulnerable. It’s worth bearing in mind.