Lumpy Burgertushie wrote: ↑
Thu Feb 02, 2017 10:08 pm
It is still only securing information during transfer. what is the point of securing html and css when the browser requests it for a normal page load? Isn't the sensitive info, whatever that might be, only transferred when the form is submitted ? It is usually only one way is it not?
Sure. Let's take a step back to information you already know and let me build on that.
When the client (web browser) asks for www.phpbb.com/community/
, it sends a request to the server. The response to that is the HTML. Actually, technically speaking, multiple requests are made for each resource, but let's stick to just one request for the purposes of this discussion.
I touched on the cookies. When you have a session with phpBB, or any other website that maintains sessions, cookies are used. An attacker able to see those cookies is able to become you and take over your account because your request to the server contains those cookies. This happens on GET and POST requests, of course.
If you protect only the login page and no other pages, you are opening yourself to Man-in-the-Middle attacks. Cookies can be sniffed, content can be manipulated, it isn't worth it to protect only the login page.
is a fun place to see just how faster HTTPS is compared to HTTP. The benefits far outweigh any reasons to not have HTTPS everywhere.