Could anyone explain this Yahoo! source code?

Andrew

Hello, friends,

I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:

<form method="post" action="https://login.yahoo.com/config/login?"
autocomplete="o ff" name="login_for m">
<input type="hidden" name=".tries" value="1">
<input type="hidden" name=".src" value="ym">
<input type="hidden" name=".md5" value="">
<input type="hidden" name=".hash" value="">
<input type="hidden" name=".js" value="">
<input type="hidden" name=".last" value="">
<input type="hidden" name="promo" value="">
<input type="hidden" name=".intl" value="us">
<input type="hidden" name=".bypass" value="">
<input type="hidden" name=".partner" value="">
<input type="hidden" name=".u" value="f1071nt2 5i290">
<input type="hidden" name=".v" value="0">
<input type="hidden" name=".challeng e"
value="GqALcs.F ldrEC7Y6w.typSi tjV1D">
<input type="hidden" name=".yplus" value="">
<input type="hidden" name=".emailCod e" value="">
<input type="hidden" name="pkg" value="">
<input type="hidden" name="stepid" value="">
<input type="hidden" name=".ev" value="">
<input type="hidden" name="hasMsgr" value="0">
<input type="hidden" name=".chkP" value="Y">
<input type="hidden" name=".done" value="http://mail.yahoo.com" >
<table id="yreglgtb" summary="form: login information">
<tr>
<th><label for="username"> Yahoo! ID:</label></th>
<td><input name="login" id="username" value="" size="17"
class="yreg_ipt " type="text"></td>
</tr>
<tr>
<th><label for="passwd">Pa ssword:</label></th>
<td><input name="passwd" id="passwd" value="" size="17"
class="yreg_ipt " type="password" ></td>
</tr>

</table>
<p><input type="checkbox" id="persistent " name=".persiste nt" value="y">
<label for="persistent ">Remember my ID on this computer</label></p>
<p class="yreglgsb "><input type="submit" value="Sign In"></p>
</form>
When a user clicks on Sign In submit button, it sends username & passwd to
https://login.yahoo.com/config/login. for authentication.

However, what I don't understand is: I thought after a user sends his/her
username & passwd, but before his/her request arrives Yahoo! server being
taken care of by https://login.yahoo.com/config/login, there is NO SSL.

If I was right, then, it did NOT make sense to use https here, since
username & passwd had been transferred in plain text through internet already.

Could anyone explain this to me? It really puzzled me.

Thanks a lot.

May 4 '06 #1

Subscribe Reply

3603

Karl Seguin [MVP]

you go to a non secure page (the yahoo login page) and enter your username
and password into the text box. At this point nothing is insecure because
the information you've entered only exists on your computer - it hasn't been
submitted over the internet. You hit submit, the browser does a new request
to the action address, in this case it's under SSL and sends along the
username/passwords you entered in the box. This information is encrypted
because the request is made over SSL.

You seem to be thinking that because you enter information in a non-SSL
page, then the information is submitted without encryption. But the
information is submitted as part of the request initiated by the form submit
to the form action, which is using ssl.

Karl

--
http://www.openmymind.net/

"Andrew" <An****@discuss ions.microsoft. com> wrote in message
news:1D******** *************** ***********@mic rosoft.com...

Hello, friends,

I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:

<form method="post" action="https://login.yahoo.com/config/login?"
autocomplete="o ff" name="login_for m">
<input type="hidden" name=".tries" value="1">
<input type="hidden" name=".src" value="ym">
<input type="hidden" name=".md5" value="">
<input type="hidden" name=".hash" value="">
<input type="hidden" name=".js" value="">
<input type="hidden" name=".last" value="">
<input type="hidden" name="promo" value="">
<input type="hidden" name=".intl" value="us">
<input type="hidden" name=".bypass" value="">
<input type="hidden" name=".partner" value="">
<input type="hidden" name=".u" value="f1071nt2 5i290">
<input type="hidden" name=".v" value="0">
<input type="hidden" name=".challeng e"
value="GqALcs.F ldrEC7Y6w.typSi tjV1D">
<input type="hidden" name=".yplus" value="">
<input type="hidden" name=".emailCod e" value="">
<input type="hidden" name="pkg" value="">
<input type="hidden" name="stepid" value="">
<input type="hidden" name=".ev" value="">
<input type="hidden" name="hasMsgr" value="0">
<input type="hidden" name=".chkP" value="Y">
<input type="hidden" name=".done" value="http://mail.yahoo.com" >
<table id="yreglgtb" summary="form: login information">
<tr>
<th><label for="username"> Yahoo! ID:</label></th>
<td><input name="login" id="username" value="" size="17"
class="yreg_ipt " type="text"></td>
</tr>
<tr>
<th><label for="passwd">Pa ssword:</label></th>
<td><input name="passwd" id="passwd" value="" size="17"
class="yreg_ipt " type="password" ></td>
</tr>

</table>
<p><input type="checkbox" id="persistent " name=".persiste nt"
value="y">
<label for="persistent ">Remember my ID on this computer</label></p>
<p class="yreglgsb "><input type="submit" value="Sign In"></p>
</form>
When a user clicks on Sign In submit button, it sends username & passwd to
https://login.yahoo.com/config/login. for authentication.

However, what I don't understand is: I thought after a user sends his/her
username & passwd, but before his/her request arrives Yahoo! server being
taken care of by https://login.yahoo.com/config/login, there is NO SSL.

If I was right, then, it did NOT make sense to use https here, since
username & passwd had been transferred in plain text through internet
already.

Could anyone explain this to me? It really puzzled me.

Thanks a lot.

May 4 '06 #2

Similar topics

2425

Move LDF -Has anyone seen this happen?

by: DickChristoph | last post by:

Hi We have a SQL 2000 (sp3) server with a database that I set up to have the MDF on D: and the LDF on E:. All was going along fine for several months and one day the server rebooted. The SQL log says something like "Service is shutting down due to server shutdown." When it came back up the LDF File was on D: (in the same folder as the MDF). The original LDF was gone from E:

Microsoft SQL Server

2078

Can anyone explain this?

by: Ranyart Olias | last post by:

Can anyone explain why the <root@hiddenworld.net> portion of this html doesn't render in a browser, but the <20031010152346.GA15353@server.hiddenworld.net> portion does? Here is the html code... <html>

HTML / CSS

1706

Could anyone explain why...

by: Chris | last post by:

Hello Could anyone explain why the following: #footer ul { float : left; margin : 2px 0px 7px 28px; padding : 0px; width : 360px;

HTML / CSS

3905

visual explain

by: Buck Nuggets | last post by:

Since upgrading to db2 8.2.1 I've been having odd problems with visual explain: 1. tables appear to require schema prefixes: SQL0204N "BUCK.DIM_SENSOR" is an undefined name. SQLSTATE=42704 I had already set the schema to dw - where queries can find dw.dim_sensor

DB2 Database

6247

aspnet_wp.exe could not be started

by: Alek Davis | last post by:

After installing Framework 1.1, I cannot run any of my ASP.NET applications. Actually, while installing Framework 1.1, I also installed recommended updates (all critical security fixes) from the Windows updates site, so I am not sure whether this was caused by Framework 1.1 or by one of the hot fixes. Now I am getting the following error in the event log: "aspnet_wp.exe could not be started. HRESULT for the failure: 80070545." I checked a...

ASP.NET

1231

Could use some help with a link problem.

by: Amy | last post by:

Hello this script was switched to one with a timer. But now it doesn't work right. The items in the left are supposed to be the link names, and the items in the right are supposed to be the link addresses. When it was switched from a day rotation to a timed rotation something is keeping it from working as a link. Can anyone see why? Please let me know, thanks, Amy one that works by day just following and works correctly. <BODY...

Javascript

12594

"could not deduce template argument" error

by: gretean | last post by:

I have a problem that's driving me crazy involving Microsoft's ability to deduce template parameters. I am using Visual Studio .NET (aka VC7?), and it gives an error compiling the following code. template <int x, int yclass M { public: template <int xRet, int yRet, int xR, int yR> M<xRet, yRetoperator *(const M<xR, yR&b) const { M<xRet,yReta; return a;

C / C++

2726

index fragmentation and explain

by: jane | last post by:

HI, I had one delete statement, it was running for some time, caused fragmentation on indexes. The delete performance is getting worse. After reorg the indexes, the performance is getting better. My question is I got explain before the reorg/runstats and after reorg/ runstats. The estimated costs are exactly the same.. I suppose the explain costs should be lower after reorg/runstats.

DB2 Database

1814

Could you please explain me the following ones?

by: Chuthu | last post by:

Could anyone explain me the following concepts in detail? 1. JAXP 2. BGRAPH 3. JBOSS work flow engine

Java

1814

Could anyone point me to a good site for pearl compiler download

by: rich murphy | last post by:

Could anyone point me to a good site for pearl compiler download.

Python

9646

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

10157

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

10097

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

8983

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

6742

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

5386

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

4055

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

3658

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

2887

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General