G
Guest
Hello, friends,
I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:
<form method="post" action="https://login.yahoo.com/config/login?"
autocomplete="off" name="login_form">
<input type="hidden" name=".tries" value="1">
<input type="hidden" name=".src" value="ym">
<input type="hidden" name=".md5" value="">
<input type="hidden" name=".hash" value="">
<input type="hidden" name=".js" value="">
<input type="hidden" name=".last" value="">
<input type="hidden" name="promo" value="">
<input type="hidden" name=".intl" value="us">
<input type="hidden" name=".bypass" value="">
<input type="hidden" name=".partner" value="">
<input type="hidden" name=".u" value="f1071nt25i290">
<input type="hidden" name=".v" value="0">
<input type="hidden" name=".challenge"
value="GqALcs.FldrEC7Y6w.typSitjV1D">
<input type="hidden" name=".yplus" value="">
<input type="hidden" name=".emailCode" value="">
<input type="hidden" name="pkg" value="">
<input type="hidden" name="stepid" value="">
<input type="hidden" name=".ev" value="">
<input type="hidden" name="hasMsgr" value="0">
<input type="hidden" name=".chkP" value="Y">
<input type="hidden" name=".done" value="http://mail.yahoo.com">
<table id="yreglgtb" summary="form: login information">
<tr>
<th><label for="username">Yahoo! ID:</label></th>
<td><input name="login" id="username" value="" size="17"
class="yreg_ipt" type="text"></td>
</tr>
<tr>
<th><label for="passwd">Password:</label></th>
<td><input name="passwd" id="passwd" value="" size="17"
class="yreg_ipt" type="password"></td>
</tr>
</table>
<p><input type="checkbox" id="persistent" name=".persistent" value="y">
<label for="persistent">Remember my ID on this computer</label></p>
<p class="yreglgsb"><input type="submit" value="Sign In"></p>
</form>
When a user clicks on Sign In submit button, it sends username & passwd to
https://login.yahoo.com/config/login. for authentication.
However, what I don't understand is: I thought after a user sends his/her
username & passwd, but before his/her request arrives Yahoo! server being
taken care of by https://login.yahoo.com/config/login, there is NO SSL.
If I was right, then, it did NOT make sense to use https here, since
username & passwd had been transferred in plain text through internet already.
Could anyone explain this to me? It really puzzled me.
Thanks a lot.
I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:
<form method="post" action="https://login.yahoo.com/config/login?"
autocomplete="off" name="login_form">
<input type="hidden" name=".tries" value="1">
<input type="hidden" name=".src" value="ym">
<input type="hidden" name=".md5" value="">
<input type="hidden" name=".hash" value="">
<input type="hidden" name=".js" value="">
<input type="hidden" name=".last" value="">
<input type="hidden" name="promo" value="">
<input type="hidden" name=".intl" value="us">
<input type="hidden" name=".bypass" value="">
<input type="hidden" name=".partner" value="">
<input type="hidden" name=".u" value="f1071nt25i290">
<input type="hidden" name=".v" value="0">
<input type="hidden" name=".challenge"
value="GqALcs.FldrEC7Y6w.typSitjV1D">
<input type="hidden" name=".yplus" value="">
<input type="hidden" name=".emailCode" value="">
<input type="hidden" name="pkg" value="">
<input type="hidden" name="stepid" value="">
<input type="hidden" name=".ev" value="">
<input type="hidden" name="hasMsgr" value="0">
<input type="hidden" name=".chkP" value="Y">
<input type="hidden" name=".done" value="http://mail.yahoo.com">
<table id="yreglgtb" summary="form: login information">
<tr>
<th><label for="username">Yahoo! ID:</label></th>
<td><input name="login" id="username" value="" size="17"
class="yreg_ipt" type="text"></td>
</tr>
<tr>
<th><label for="passwd">Password:</label></th>
<td><input name="passwd" id="passwd" value="" size="17"
class="yreg_ipt" type="password"></td>
</tr>
</table>
<p><input type="checkbox" id="persistent" name=".persistent" value="y">
<label for="persistent">Remember my ID on this computer</label></p>
<p class="yreglgsb"><input type="submit" value="Sign In"></p>
</form>
When a user clicks on Sign In submit button, it sends username & passwd to
https://login.yahoo.com/config/login. for authentication.
However, what I don't understand is: I thought after a user sends his/her
username & passwd, but before his/her request arrives Yahoo! server being
taken care of by https://login.yahoo.com/config/login, there is NO SSL.
If I was right, then, it did NOT make sense to use https here, since
username & passwd had been transferred in plain text through internet already.
Could anyone explain this to me? It really puzzled me.
Thanks a lot.