Well… first of all.. my bad…
Was too much in hurry to post wat i saw yesterday..
Well for the explanation:
* Plugins like LiveHTTP, FireBug show the un-encrypted url which is being requested for..
* So, before actually posting this URL, browser encrypts it. This is because the login page is present on the HTTPS domain.
* Confirmed this by actually using wireshark to sniff the packets being transmitted from my machine!
Just happened to investigate google’s gmail login process.. Was interested in knowing the internal redirects and other stuff. In the process, came across an amazing security flaw there.. I’m using LiveHTTP Headers plugin for firefox. All seemed perfect when i logged into a secure HTTPS google domain. But then, when it redirected to the non-secure http domain i could see my password in clear text in the redirect url! FUCK!
Go on guys.. start sniffing…
Anyways, for guys who want to be secure enough on the net, you can configure gmail to use only HTTPS. Things might be a little slow, but then on a broadband like connection it does not matter!
Btw, Oz just confirmed that same happens with Yahoo login..!!