I was monitoring web traffic from my Android mobile using a man-in-the-middle proxy. As part of this I installed a certificate (signed by my server) to my mobile and I could see all applications sending sensitive information like passwords as clear text.
I understand that SSL protocol takes care of establishing a secure communication, but does that eliminate the need to encrypt data?
So there are really 2 questions here:
Does it eliminate the need to encrypt data in all cases? No.
Does it eliminate the need to encrypt data in most cases? Yes.
To understand those answers we need to talk about one important thing: key distribution.
How are you going to get the key to your user (the one making the request). If you have a reliable side-channel, then it's possible to send the key in the side channel. This means that any data encrypted and sent over TLS won't be decryptable even if the attacker can decrypt the TLS stream.
For the average website, there's no reliable side-channel. For the average network service there isn't one either (implementations like sshd simply make the best effort approach of "assume the first connection is good").
If your data is important enough to justify the side-channel distribution of keys (preferably offline), then the added encryption inside of TLS can protect you from certain attack vectors.
However, ask yourself if its worth it for your use case. All security is a tradeoff of usability and simplicity...
