Any credentials or data entered on an HTTP page travel across the internet as plain, readable text — visible to anyone on the same network. This is a training demo.
HTTP vs HTTPS — what the difference means
HTTP — insecure
Data sent as plain text. Anyone between you and the server can read it: your ISP, the cafe Wi-Fi router, a corporate proxy, or an attacker on the same network.
HTTPS — secure
Data encrypted end-to-end using TLS. Even if intercepted, it's unreadable. Certificate also proves the server is who it claims to be.
Red flags to check in your browser
"Not Secure" in the address bar — Chrome, Edge, and Firefox all show this for HTTP sites
No padlock icon — HTTPS sites show a padlock (or just the domain in newer browsers); HTTP shows a warning triangle
URL starts with http:// — secure sites always use https://
Login or payment form on HTTP — no legitimate bank, email provider, or shopping site uses HTTP for login pages
What an attacker can do on HTTP
Read your username and password as you type them
Modify the page content before it reaches you — injecting fake forms or malware
Redirect you to a completely different page without you noticing
Capture session cookies to impersonate you after you log in
What to do
Always check for https:// before entering any credentials or payment details
If you see "Not Secure" on a login page — close it immediately and report the link to IT
On public Wi-Fi — treat all HTTP traffic as compromised; use a VPN
If you entered credentials on HTTP — change that password immediately from a secure network