Network Security Does Not Imply Application or Database Security
The Internets are full of bad advice. Some is harmless, but some is downright dangerous, especially when it isn’t bad advice per se but rather shall we say, incomplete. Suggesting that you should only provide personal information to sites that use HTTPS is an example of the latter kind, because it implies that as long as a web application is using SSL for transport layer (network) security then it is safe to give up your private, personal, information.
Because miscreants would never set up a phishing site and enable SSL. Because SSL somehow magically strips out malicious SQL injection and other web application attacks from the data. Because SSL is carried right over into the database, where all that personal, private data you just gave up is safely encrypted and even if it is stolen it will be unusable.
This is akin to suggesting that as long as the door is locked, the fact that it’s a glass room makes it secure enough to store the Hope Diamond.
It would almost be amusing if it weren’t for the fact that people less technically inclined will take this advice (which is not all bad) and subsequently trust that their personal, private information is safe (that is bad). They will mistakenly believe that they will not be the victims of identity theft at some nebulous point in the future. They will relax and give up credit card and account numbers, too, because obviously the owner of the web application is serious about security.
This kind of advice without further follow-up generates a false sense of security that will possibly be the cause of much angst in the future when reality rears its ugly head and some poor Internet neophyte learns he’s given up his identity because there was a lock icon on the bottom of the browser.