Could anyone explain this Yahoo! source code?

[Guest]

Hello, friends,

I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:

<form method="post" action="https://login.yahoo.com/config/login?"
autocomplete="off" name="login_form">
<input type="hidden" name=".tries" value="1">
<input type="hidden" name=".src" value="ym">
<input type="hidden" name=".md5" value="">
<input type="hidden" name=".hash" value="">
<input type="hidden" name=".js" value="">
<input type="hidden" name=".last" value="">
<input type="hidden" name="promo" value="">
<input type="hidden" name=".intl" value="us">
<input type="hidden" name=".bypass" value="">
<input type="hidden" name=".partner" value="">
<input type="hidden" name=".u" value="f1071nt25i290">
<input type="hidden" name=".v" value="0">
<input type="hidden" name=".challenge"
value="GqALcs.FldrEC7Y6w.typSitjV1D">
<input type="hidden" name=".yplus" value="">
<input type="hidden" name=".emailCode" value="">
<input type="hidden" name="pkg" value="">
<input type="hidden" name="stepid" value="">
<input type="hidden" name=".ev" value="">
<input type="hidden" name="hasMsgr" value="0">
<input type="hidden" name=".chkP" value="Y">
<input type="hidden" name=".done" value="http://mail.yahoo.com">
<table id="yreglgtb" summary="form: login information">
<tr>
<th><label for="username">Yahoo! ID:</label></th>
<td><input name="login" id="username" value="" size="17"
class="yreg_ipt" type="text"></td>
</tr>
<tr>
<th><label for="passwd">Password:</label></th>
<td><input name="passwd" id="passwd" value="" size="17"
class="yreg_ipt" type="password"></td>
</tr>

</table>
<p><input type="checkbox" id="persistent" name=".persistent" value="y">
<label for="persistent">Remember my ID on this computer</label></p>
<p class="yreglgsb"><input type="submit" value="Sign In"></p>
</form>


When a user clicks on Sign In submit button, it sends username & passwd to
https://login.yahoo.com/config/login. for authentication.

However, what I don't understand is: I thought after a user sends his/her
username & passwd, but before his/her request arrives Yahoo! server being
taken care of by https://login.yahoo.com/config/login, there is NO SSL.

If I was right, then, it did NOT make sense to use https here, since
username & passwd had been transferred in plain text through internet already.

Could anyone explain this to me? It really puzzled me.

Thanks a lot.

 

[Karl Seguin [MVP]]

you go to a non secure page (the yahoo login page) and enter your username
and password into the text box. At this point nothing is insecure because
the information you've entered only exists on your computer - it hasn't been
submitted over the internet. You hit submit, the browser does a new request
to the action address, in this case it's under SSL and sends along the
username/passwords you entered in the box. This information is encrypted
because the request is made over SSL.

You seem to be thinking that because you enter information in a non-SSL
page, then the information is submitted without encryption. But the
information is submitted as part of the request initiated by the form submit
to the form action, which is using ssl.

Karl