On the website of some company, it is possible to send personal data using a form. The browser I'm using says that the connection is secure.
Is it completely secure to send personal data via the form?
Is there any possibility that an attacker can grab the data, or maybe the data could be stored anywhere between my PC and the company's server?
The website is accessed using the HTTPS protocol, so the data should be encrypted, shouldn't it?
No system is 100% secure. But encryption provides a high level of security for data in motion. But it doesn't mean that your data is 100% secured or impossible to break.
Especially you may be trying to access a phishing website. Even though HTTPS is secure, you are sending data to a malicious website.
In addition, the certificate key may be compromised but the certificate is not revoked yet. Or, Forward Secrecy can provide enhanced security of HTTPS but most sites do not enable this feature.
If the site has HTTPS properly configured, you can trust it up to a certain level, because if someone collects data from a middle point, it is impossible to read. If the key is not compromised.
Is there any possibility that an attacker can grab the data, or maybe the data could be stored anywhere between my PC and the company's server?
Yes, there are many ways that an attacker can eavesdrop on an https connection between you and a server. For example, if the server's private key is compromised, then an attacker that is able to position himself between you and the server can sniff (and possibly even alter) all traffic between you and the server.
But, even if the server's private key is not leaked, it still may be possible for an attacker to intercept and alter the traffic between you and the server - if the attacker is able to convince you that his certificate is actually the server's certificate. This is known as a Man in the Middle Attack (MITM).
So, the security of an https connection boils down to the question of: when you connect to the server, and the server present its certificate to you, how do you know that this certificate is in fact the true and correct certificate for the server? Verifying that a certificate is the true and correct certificate for the server is called authentication.
Authentication is the weak link in SSL/TLS used with https on the web. We rely on certificate authorities (CA's) to verify certificates for us, and we check for the 'stamp of approval', in the form of a cryptographic signature on the certificate, by a CA that we trust.
However, this system is far from perfect, and it has had its share of failures. See https://moxie.org/2011/04/11/ssl-and-the-future-of-authenticity.html and If an adversary took over a major Certificate Authority, what bad things could they do? for some interesting reading on this subject.
Last but not least, this answer only discussed two types of attacks on SSL/TLS (there are many more). And, this answer only discusses attacks on the data while in transit between your web browser and the web server. Bear in mind that the data can also be attacked while at rest at either endpoint.
