SSL is not an illusion.  It does what it was designed to do and does it very well, protect information in transit.  

Our conversation here for example is not protected by SSL and is transmitted in cleartext on the Internet yet we do it anyway.  Why?  Because the benefit far outweighs the risk.

I believe what you may have meant is that using SSL by itself only addresses one of the threats to confidentiality.

Without getting into it, there are bigger threats to confidentiality than those related to the absence of SSL for this kind of scenario which is why I do not use provider website forms to provide any confidential information about myself.

Both Singleton and bikebryan are right on the money. As far as filling out information goes, think of it as sending information via email. If you're comfortable sending out the information in an email to a bunch of friends, then you should feel comfortable filling out an online form (from a security standpoint anyway).

As far as the security icon on the browser goes, the security mechanisms built into most web browsers and web servers are designed to take data entered from a browser and encrypt it prior to transmission to a webserver. What happens after that is determined by what the receiver chooses to do with it.

That being said, there are ways to secure communication such as e-mail, both during transmission and for storage afterwards that are pretty easy to use. The caveat is that both the sender and receiver have to want to participate in encryption.

You can use PGP (Pretty Good Privacy) or one of its derivatives to secure all of your personal communication. I've enclosed a link to a PGP information website. You can find PGP software there that is free for Windows, MacOS, Linux, *nixes, and others. There are many other sites as well, just do a search for PGP or Pretty Good Privacy.

You can read all about it on the site, but basically the way it works is that you choose a _good_ password. Using the software, you generate two encrypted keys with your password. One key is a private key that is stored on your computer. You keep this key private and treat it and your password like Fort Knox treats gold.

The second key is a public key. You can give it to whomever you want, even post it for the entire world to see. Anyone who wants to send you something: email, a sensitive document, or whatever, uses the software and your public key to encrypt whatever it is that they wish to protect.

Once encrypted, the only way to decrypt it is to use the private key and the password, which only you have. Even the originator can't reverse the process. Only by having the private key and the password can you decrypt the content.

The basic idea is that you collect the public keys of the people with whom you wish to correspond and share yours with them. When you wish to correspond securely, you use that person's public key. When they choose to respond, they use your public key.

Many of the software programs derived from PGP also let you MANAGE your correspondance and documents. They allow you to store your correspondance in an encrypted fashion. A lot of them also seamlessly plug in to e-mail clients such as Outlook, Netscape, Eudora, and others. This is handy as you can type your message and then click a single button to encrypt and send e-mail. The encrypted version of the email goes into your "Sent" folder. No version of the unencrypted variant remains.

One thing you need to be aware of is that using someone's public key requires a certain amount of trust. How well do you trust the person whose public key you are using? If you know the person and  they gave you the key personally, I'd say you can trust it. But if you received a plain-text email containing a public key from an unknown entity you have to weigh it's validy.

There's a concept of building a "ring of trust" whereby you may not know the owner of the public key, but someone you do trust vouches for it. A complete discussion isn't feasible here, but the website below and others discussing PGP talk about it.

As far as this hobby is concerned, I would love it if providers published a public key (on their "contact me" page or advertisement for instance). Of course, they don't know you from Adam (or Adam 12), so they have to decide how much they trust you, but you could at least initiate secure communications and not worry about leaving plain-text evidence lying around. It would be nice to find a way, say a central, trusted location, where hobbyists' keys could be vouched for.

On a side note, with PGP you can generate _very_ secure keys. The longer the key, the harder it is to crack. The keys generated by web browsers are, at most, 128 bits in length. That's a pretty secure key, but PGP lets you create 1024 bit keys. that's 10 orders of magnitude (or 10,000,000,000)) times harder to crack.

As long as you don't choose an easily-guessed password, it takes some _serious_ resources (think government agencies or _really_ big corporations) to crack that key in a reasonable amount of time. Even so, it costs about $750,000 to do it, (time, personnel, etc.) so someone has to want that key really bad.

Depending on the script used, it is possible to have the form information e-mailed to more than one address.  Some ladies' websites are prepared by others ("webmasters/webmistresses")...it would be possible for an unscrupulous, or voyeuristic, webmaster to have copies of the form sent to him/her (unbeknownst to the provider).   Of course, I doubt that it ever happens in real life, but it is a possibility...mentioned only in the sake of public interest and paranoia provocation.