HTTP Authentication can ensure that no one has access to sensitive content on your website without your permission. However, once someone has access — whether authentication was required or not — all data that goes back and forth between your server and the client's browser is ordinarily sent in the clear. So, if any of those exchanges were to be intercepted along the way (a particular danger if the client is connected to an unencrypted Wi-Fi network but still possible even with a completely wired connection), an eavesdropper could see any data the browser sends or receives.
If your website exists only to provide information to the public or to show off pictures of your family or recount your personal experiences in a blog, it's fine for the data to be sent in the clear because an eavesdropper could see only things intended for the general public. However, if your website collects any personal data using a web form or displays confidential information such as passwords, private addresses, or medical or legal records, authentication alone isn't enough — you should encrypt your site by using SSL.
For more on SSL, see Chapter 10.
SSL-encrypted web pages have URLs that begin with https rather than the usual http. With SSL enabled, the browser and the server negotiate with each other and establish a key pair for public-key encryption. The padlock icon in your browser confirms that you're viewing an encrypted page.
Protecting a site with SSL requires ...