Forgive me for a potentially obvious question--and I know the safe answer is "Always use https!"--but I'm trying to get a grasp on how necessary it is to use https for anyone accessing the backend on CMSes like Drupal, WP, etc. I was wondering if anyone can clarify a few things.
My understanding of man-in-the-middle attacks is that they are relatively uncommon over networks with basic security measures (such as home networks, password-locked Wi-fi networks, office networks). Basically, there are no easy access points between, for instance, my home and my ISP, where someone can setup a system to intercept traffic.
Of course, open wi-fi networks provide an easy entry point to intercept traffic, but even large password-protected networks such as hotel internet connections, etc., provide another easy access point to intercept the traffic of anyone else accessing the internet through the same network.
Assuming these two things are correct, I would make the following deductions:
It would seem to me that logging into a CMS via http under any sort of administrative account is generally safe (though perhaps not a best practice) from home and from the office, as long as there is no open wi-fi and, of course, no malicious users using systems within said home or office.
This would also mean that if you are logging in to a CMS in such a capacity over a hotel connection, in-flight connection, or anything of the sort, you should always use https. I'm pretty sure this is obvious, but just asking to clarify, as security is not my specialty.
Can anyone tell me if I am basically on the right track here, or if any of my understandings or assumptions are flawed in any way? Basically, what I'm trying to determine is whether it is pretty necessary to always have CMS-based websites setup using https, or whether plain old http is, generally speaking, safe enough for sites on which administrators log in only from networks where all users are trusted.