Could anyone explain this Yahoo! source code?

Re: Could anyone explain this Yahoo! source code?

you go to a non secure page (the yahoo login page) and enter your username
and password into the text box. At this point nothing is insecure because
the information you've entered only exists on your computer - it hasn't been
submitted over the internet. You hit submit, the browser does a new request
to the action address, in this case it's under SSL and sends along the
username/passwords you entered in the box. This information is encrypted
because the request is made over SSL.

You seem to be thinking that because you enter information in a non-SSL
page, then the information is submitted without encryption. But the
information is submitted as part of the request initiated by the form submit
to the form action, which is using ssl.

Karl

--




"Andrew" <Andrew@discuss ions.microsoft. com> wrote in message
news:1DC5C739-C27E-44A3-9021-3BD093E887BB@mi crosoft.com...[color=blue]
> Hello, friends,
>
> I am implementing web app security using asp.net 1.1, and I found the
> following source code from Yahoo! Mail login page:
>
> <form method="post" action="https://login.yahoo.com/config/login?"
> autocomplete="o ff" name="login_for m">
> <input type="hidden" name=".tries" value="1">
> <input type="hidden" name=".src" value="ym">
> <input type="hidden" name=".md5" value="">
> <input type="hidden" name=".hash" value="">
> <input type="hidden" name=".js" value="">
> <input type="hidden" name=".last" value="">
> <input type="hidden" name="promo" value="">
> <input type="hidden" name=".intl" value="us">
> <input type="hidden" name=".bypass" value="">
> <input type="hidden" name=".partner" value="">
> <input type="hidden" name=".u" value="f1071nt2 5i290">
> <input type="hidden" name=".v" value="0">
> <input type="hidden" name=".challeng e"
> value="GqALcs.F ldrEC7Y6w.typSi tjV1D">
> <input type="hidden" name=".yplus" value="">
> <input type="hidden" name=".emailCod e" value="">
> <input type="hidden" name="pkg" value="">
> <input type="hidden" name="stepid" value="">
> <input type="hidden" name=".ev" value="">
> <input type="hidden" name="hasMsgr" value="0">
> <input type="hidden" name=".chkP" value="Y">
> <input type="hidden" name=".done" value="http://mail.yahoo.com" >
> <table id="yreglgtb" summary="form: login information">
> <tr>
> <th><label for="username"> Yahoo! ID:</label></th>
> <td><input name="login" id="username" value="" size="17"
> class="yreg_ipt " type="text"></td>
> </tr>
> <tr>
> <th><label for="passwd">Pa ssword:</label></th>
> <td><input name="passwd" id="passwd" value="" size="17"
> class="yreg_ipt " type="password" ></td>
> </tr>
>
> </table>
> <p><input type="checkbox" id="persistent " name=".persiste nt"
> value="y">
> <label for="persistent ">Remember my ID on this computer</label></p>
> <p class="yreglgsb "><input type="submit" value="Sign In"></p>
> </form>
>
>
> When a user clicks on Sign In submit button, it sends username & passwd to
> https://login.yahoo.com/config/login. for authentication.
>
> However, what I don't understand is: I thought after a user sends his/her
> username & passwd, but before his/her request arrives Yahoo! server being
> taken care of by https://login.yahoo.com/config/login, there is NO SSL.
>
> If I was right, then, it did NOT make sense to use https here, since
> username & passwd had been transferred in plain text through internet
> already.
>
> Could anyone explain this to me? It really puzzled me.
>
> Thanks a lot.
>[/color]