As a user, how do I know my user name and password sent to a server is encrypted with HTTPS? Let me preempt the answer of "look for the little lock" or "look for https in the URL" with the following two examples:
First, let's say I browse to bank.com's website. When I get to the login page, the URL in the address bar says "https://www.bank.com/login.php". I type in the my user name and password, and hit submit.
However, the form for the authentication says this:
<form action="http://www.bank.com/login.php"> ... </form>
Obviously, my credentials are not being sent through HTTPS. The second example is just the opposite, as you might imagine. I browse to bank.com and am presented with the "http://www.bank.com/login.php" page. However, the form this time uses HTTPS:
<form action="https://www.bank.com/login.php"> ... </form>
From this, it's clear we can't trust the lock symbol in the browser nor the "https" in the address bar.
I think I really have two questions which straddle SO and SU:
- SU: How can a normal (not HTML/programming savvy) user perform such a check effectively?
- SO: How can websites (or browsers) provide help to users to perform this check?