For more than two decades SSL has ruled the roost as the predominant encryption protocol on the Web. This is unfortunate, at least because in recent years many vulnerabilities have surfaced in SSL. It’s had its day, done its job, and is now battle weary. Today, to say the least, early versions of SSL and TLS don’t get the job done when it comes to securing website traffic.
By now it’s common practice for web sites to serve login pages over HTTPS in order to send passwords over an encrypted channel. Yet if the site unleashes the authenticated user back onto HTTP links (no "S"), then protecting the password may be a moot point.
From a web application’s point of view, your initial identity is proved by submitting valid credentials, but your identity in subsequent requests is tied to one or more "session tokens" — basically temporary cookies that are supposed to be unique to your browser. The following video demonstrates what happens when your browser’s unencrypted traffic is intercepted by a sniffer (like using a Wi-Fi connection in a cafe, library, airport, or even at home).
You can find a longer explanation of this problem (without getting tripped up in technical details) in one of my articles on Mashable.
Duration: 5 minutes