Good question... the article doesn't cover exactly how it takes place. The key point is that it is irrelevant whether or not the page where you fill out your username and password is secure (https) or not (http). What is important is that the "action" value of the form initiates an https connection - how exactly the exchange takes place, it doesn't mention. I'm assuming it's along the lines of what you suggest.