[HN Gopher] The Passport Payment (2000)
___________________________________________________________________
The Passport Payment (2000)
Author : csapdani
Score : 188 points
Date : 2020-07-19 08:47 UTC (14 hours ago)
(HTM) web link (web.archive.org)
(TXT) w3m dump (web.archive.org)
| terenceng2010 wrote:
| Try to go passport.com nowadays. It redirects you to Bing and
| search "passport" as result. Handy.
| calvinmorrison wrote:
| I had an issue with my router which now uses myfiosgateway.com
| as the router config though it is hosted on the router
| (presumably so it can serve https?) And mark monitor showed up
| with a big "this is the actual internet so you don't wanna
| visit it" page when I was routed to the actual .com, kinda
| similar
| dannyw wrote:
| Could you imagine doing this today? You'd probably get lawyers
| making you sign agreements saying your payment of the domain
| renewal is not a ownership interest in the domain and threatening
| to take you to court for renewing their domain.
| SMAAART wrote:
| And - of course - the same lawyers would bill MSFT $5,000
| dewey wrote:
| I actually think it would be the opposite now. Things like bug
| bounties or a huge PR problem by the affected problem posting
| it on Twitter are new things. It was more prevalent to send
| lawyers for accessing public but not meant to be public URLs
| back in the days than it's now.
| StavrosK wrote:
| I'm confused, how did he pay for someone else's domain? Was there
| no authentication?
| hadrien01 wrote:
| You can renew a domain without being authenticated, but you
| won't be able to take ownership of it. It's useful if you can't
| find your login details and are in a hurry.
| StavrosK wrote:
| Oh huh, I didn't know that, thanks.
| namibj wrote:
| Back then, control was authenticated as necessary for the
| proper functioning, but even today I see no reason why renewal
| should have to be gated behind login walls. Actually, I'd even
| prefer it not to be, because you might, in a pinch, be
| prevented from paying for them yourself electronically, having
| to call in a favor and promise to pay back as soon as you see
| that friend.
|
| Or you just prefer to pay someone cash for them to top up your
| domain, because you don't like mixing money and the internet,
| but have e.g. a personal domain for email.
| TazeTSchnitzel wrote:
| In the UK, student loan payments can be made online without
| authentication: if you know the right details, it just works.
| Which was convenient for me, because I have never managed to
| log into my account.
| jtl999 wrote:
| There are other registrars that support paying for an
| arbitrary domain without having ownership.
| jedimastert wrote:
| > even today I see no reason why renewal should have to be
| gated behind login walls.
|
| This actually reminds me on a somewhat interesting social
| engineering "vulnerability" a little while back[0].
|
| 1. The hacker would call into Amazon and say that the website
| was acting up and they needed to add a card to the victim's
| account. It wouldn't take much effort because why would it?
|
| 2. The hacker'd call right back and say that "their" email
| had been compromised and they needed to change it/add a new
| one and reset the password. You supply the card you just gave
| (and name/billing address, but those aren't too hard to find)
|
| 3. Use that to hop on to the account and grab the last 4
| digits of the victim's real card.
|
| You now have the victim's billing address and last 4 of a
| credit card. A surprising amount of authentication power.
|
| I think the lesson here is if it _can_ be privileged
| information, it _is_. Even if it 's privileged for someone
| else.
|
| [0]: https://www.wired.com/2012/08/apple-amazon-mat-honan-
| hacking...
| wolco wrote:
| That's a useless hack at the time. You could generate your
| own credit card numbers back then using a formula. The
| name/expiry date or address were not used for verification.
|
| So ordering from a fake credit card was easy. Finding the
| drop shipping location was the hard part.
| dannyw wrote:
| Your fake credit card isn't going to have a balance.
| TedDoesntTalk wrote:
| It was and still is trivial to get stolen credit card
| info that do have balances or credit available.
| wolco wrote:
| It didn't matter because in order to check someone had to
| call and wait an hour so no one did in mail order
| purchases/shopping networks because you had an address to
| send the police to.
| namibj wrote:
| Ok, yeah, I see. Though, in that case, it's both a failure
| on his side, as well as an utter failure on apple's side.
|
| Also, arguably, a plus for Google's stance on this: no
| answers to questions, no access. Sue us.
| em-bee wrote:
| yup, i use gandi for that reason. they support payment from
| anyone. it's especially convenient for volunteer community
| sites. we don't depend on the person who registered the
| domain and forgot to give access to others.
| nathancahill wrote:
| Very good to know. I use Gandi too, didn't realize I could
| do that.
| ChrisMarshallNY wrote:
| It's always nice to hear about people doing the right thing.
| Thanks for sharing the story.
| spyc wrote:
| Great move, kudos to Micheal!
| kijin wrote:
| According to the story, it took somewhere between 13 and 19 hours
| for passport.com to resolve properly after he renewed it for
| Microsoft. Is that normally how long it takes to reactivate a
| domain name that has gone into a renewal grace period, or was
| something different back then?
|
| Perhaps the NXDOMAIN response was cached by ISPs for an
| especially long time because it was such a frequently visited
| hostname?
| orisho wrote:
| NXDOMAIN is often cached for much longer because it's assumed
| not to change soon. Sometimes, as in this case, that's a wrong
| assumption.
| DaiPlusPlus wrote:
| I thought NXDOMAIN results were cached for as long as the TTL
| in the parent SOA record?
| yrro wrote:
| For com. that's currently 24 hours!
| DanielDent wrote:
| It used to be that nameserver changes with TLDs were measured
| in days, not minutes. Even today some TLDs continue to operate
| this way.
| evolve2k wrote:
| What are reasonable timeframe expectations for nameserver
| changes now?
| DaiPlusPlus wrote:
| That depends on the TTL of your DNS records. But if it's a
| brand-new registration for a dot-com then I've found DNS
| queries work within 3 minutes of me completing GoDaddy's
| regustration (and using GoDaddy's DNS zone hosting) even
| through my ISP's DNS servers (provided there's no cached
| NXDOMAIN results).
| DanielDent wrote:
| The .com zone file is updated every few minutes. Caching
| behaviours will vary significantly. Frequently a
| significant fraction of traffic can be using new
| nameservers within minutes, with a long tail of traffic
| with older information.
|
| Each TLD does their own thing. For example, last time I
| checked, .ca only seemed to be serving a new zone file
| every few hours. How long new nameservers take will depend
| on your luck in terms of where you are in their refresh
| cycle.
| [deleted]
| swyx wrote:
| perhaps the most surprising to me is the apparent willingness to
| enter credit card info online in 1999. I wasn't around for this
| period but wasn't the conventional wisdom back then that this was
| insecure? hence PayPal?
| mytailorisrich wrote:
| In 1999 Amazon (for example) was already 5 years old and plenty
| of people were using credit cards online.
|
| People who used mail orders before the internet might remember
| that the options included sending a cheque along with the order
| form or filling in your credit card details on the order form
| (that's a paper form that you send in the post), and I think
| that this is still the case. So I don't think that average
| people really saw sending card details online any differently.
| I even remember being asked for my card details by email!
| CalRobert wrote:
| It was fairly common. Paypal was around in 1999 (only just).
| More remarkably it was common to mail a personal check or money
| order for things on ebay and for the most part, it worked.
| Symbiote wrote:
| Average non-technical people used well-known companies, but
| that included eBay and Amazon.
|
| Presumably Network Solutions was trusted by this customer of
| theirs.
| TedDoesntTalk wrote:
| I could be wrong, but I think in 1999 Amazon was still only
| selling books. Certainly they did not sell the variety of
| goods they have now.
|
| There were thousands of online shops at the time, selling
| everything that Amazon sells today, and it was common to
| purchase from them using CC or PayPal.
| gruturo wrote:
| No, not at all?
|
| SSL had been around for 6 years already, credit card
| transactions were quite common, especially with known,
| reputable hosts (Network Solutions can be safely be assumed to
| have qualified at the time)
| TedDoesntTalk wrote:
| Unfortunately, not all websites used https or enforced it on
| pages that should have had it. It was very common to see
| payment forms submitted over http. That is why browsers
| evolved to the point where Chrome now won't submit certain
| types of html form fields over non-https.
| gruturo wrote:
| I'm aware of it - even talked some people out of attempting
| ecommerce without SSL about 20 years ago (not all
| successfully).
|
| But the linked article specifically mentions an HTTPS link.
| 0898 wrote:
| Back then, I remember Internic let you register a domain and
| you had 30 days to pay up, because people would commonly put a
| cheque in the post ("mail a check.")
| [deleted]
| boomlinde wrote:
| The general wisdom was (as it still is) that you couldn't trust
| that anyone with a credit card form on their website would
| honor your trust. In this case the recipient wasn't just anyone
| with a credit card form on their website, but Network
| Solutions.
| nicky0 wrote:
| Well we had https ("check for the lock icon") back then, you
| could pay for plenty of things with credit cards online. Of
| course there was some fear of it among the general public.
| PayPal by no means invented online payments they just
| popularised it.
| ghaff wrote:
| >PayPal by no means invented online payments they just
| popularised it.
|
| I'm not sure it's even so much that PayPal "popularized"
| online payments as it somewhat democratized them. When I had
| a small side software business in the early to mid-90s, it
| wasn't easy/cheap to get setup with a merchant credit card.
| Mostly, people mailed me checks although at some point I
| struck a deal with a local BBS operator/reseller for him to
| take payments for me when necessary.
| corford wrote:
| Memory's hazy (it might have been a year or two before 1999)
| but I remember in the UK buying a domain from Network Solutions
| with a credit card but then I had to fax a signed document to
| their US office to actually authenticate ownership. This wasn't
| an automated anti-fraud thing like you might see today, it was
| just standard procedure for on-line orders (or at least non-US
| ones).
|
| But, yeah, paying on-line with credit cards was absolutely a
| thing in 1999.
| paulie_a wrote:
| I regularly made normal payments for normal products such as
| movies and nothing. It generally was considered safe.
| ncmncm wrote:
| Biggest anachronism is his mailing (maybe home) address and phone
| number at the bottom.
| raverbashing wrote:
| > in addition to a new copy of Visual Studio 6.0 (which I need to
| compile and run the decss program to decode my DVD's so that I
| can play them under Linux)
|
| Why would you need VS6 to compile a program for Linux?
| ArgyleSound wrote:
| He was compiling a Windows program to decode his DVDs so that
| he could play them on Linux
| 0x0 wrote:
| DeCSS was a windows-only program back in those days.
| A_No_Name_Mouse wrote:
| This happened in 1999/2000, maybe someone could add (2000) to the
| title?
___________________________________________________________________
(page generated 2020-07-19 23:00 UTC)