Using my android device I went to "mail.yahoo.com" on my web browser. It forwarded me to this page: http://mlogin.yahoo.com/w/login/user …
The page prompts me to enter my username and password, but the page is not HTTPS! I examined the source and it looks like the form action posts to "https://mlogin.yahoo.com/w/login/auth?.ts=1341545330&.intl=PR&.lang=es-pr".
My question is how safe is that? It seems very risky to enter your username password on a page that isn't secure.
Another question is do web browsers allow the opposite: a secure webpage that ends up submitting the form to an unsecure page? If so that seems very bad security policy on behalf of web browser makers.
Best Answer
The data sent from the HTTP page to the HTTPS one gets encrypted. Many followed this method in past due to performance issues. But this method is not advised as it is prone to man in the middle attack.