Before I start, let me say that I have amateur knowledge of HTTPS and other similar protocols so this question may be simple to answer. But, as a layperson, it seems problematic.<p>--<p>Recently I was helping someone file their taxes online--nothing complicated so free software suffices--but before we could begin, they had to reset their password. Since it was related to taxes, all accounts were based around SSN and email. Again, this seems fine as it's a legitimate 501(c)(4)org and is reputable. However, the users input for their SSN was in plaintext with absolutely no delay in disguising it.<p>I understand this may be more user friendly as it could eliminate user error (i.e. typos in SSN) but does this then imply SSNs are being transferred in plaintext throughout their entire system? Is this type of plaintext input common industry practice? Bringing it down to the most basic level, is this type of input truly secure while being transferred over HTTPS?
That's how the internet works. All fields in forms are always sent in plain text, so its up to HTTPS to secure it (as long as it is sent via POST request, not GET).