[HN Gopher] The Passport Payment (2000) ___________________________________________________________________ The Passport Payment (2000) Author : csapdani Score : 188 points Date : 2020-07-19 08:47 UTC (14 hours ago) (HTM) web link (web.archive.org) (TXT) w3m dump (web.archive.org) | terenceng2010 wrote: | Try to go passport.com nowadays. It redirects you to Bing and | search "passport" as result. Handy. | calvinmorrison wrote: | I had an issue with my router which now uses myfiosgateway.com | as the router config though it is hosted on the router | (presumably so it can serve https?) And mark monitor showed up | with a big "this is the actual internet so you don't wanna | visit it" page when I was routed to the actual .com, kinda | similar | dannyw wrote: | Could you imagine doing this today? You'd probably get lawyers | making you sign agreements saying your payment of the domain | renewal is not a ownership interest in the domain and threatening | to take you to court for renewing their domain. | SMAAART wrote: | And - of course - the same lawyers would bill MSFT $5,000 | dewey wrote: | I actually think it would be the opposite now. Things like bug | bounties or a huge PR problem by the affected problem posting | it on Twitter are new things. It was more prevalent to send | lawyers for accessing public but not meant to be public URLs | back in the days than it's now. | StavrosK wrote: | I'm confused, how did he pay for someone else's domain? Was there | no authentication? | hadrien01 wrote: | You can renew a domain without being authenticated, but you | won't be able to take ownership of it. It's useful if you can't | find your login details and are in a hurry. | StavrosK wrote: | Oh huh, I didn't know that, thanks. | namibj wrote: | Back then, control was authenticated as necessary for the | proper functioning, but even today I see no reason why renewal | should have to be gated behind login walls. Actually, I'd even | prefer it not to be, because you might, in a pinch, be | prevented from paying for them yourself electronically, having | to call in a favor and promise to pay back as soon as you see | that friend. | | Or you just prefer to pay someone cash for them to top up your | domain, because you don't like mixing money and the internet, | but have e.g. a personal domain for email. | TazeTSchnitzel wrote: | In the UK, student loan payments can be made online without | authentication: if you know the right details, it just works. | Which was convenient for me, because I have never managed to | log into my account. | jtl999 wrote: | There are other registrars that support paying for an | arbitrary domain without having ownership. | jedimastert wrote: | > even today I see no reason why renewal should have to be | gated behind login walls. | | This actually reminds me on a somewhat interesting social | engineering "vulnerability" a little while back[0]. | | 1. The hacker would call into Amazon and say that the website | was acting up and they needed to add a card to the victim's | account. It wouldn't take much effort because why would it? | | 2. The hacker'd call right back and say that "their" email | had been compromised and they needed to change it/add a new | one and reset the password. You supply the card you just gave | (and name/billing address, but those aren't too hard to find) | | 3. Use that to hop on to the account and grab the last 4 | digits of the victim's real card. | | You now have the victim's billing address and last 4 of a | credit card. A surprising amount of authentication power. | | I think the lesson here is if it _can_ be privileged | information, it _is_. Even if it 's privileged for someone | else. | | [0]: https://www.wired.com/2012/08/apple-amazon-mat-honan- | hacking... | wolco wrote: | That's a useless hack at the time. You could generate your | own credit card numbers back then using a formula. The | name/expiry date or address were not used for verification. | | So ordering from a fake credit card was easy. Finding the | drop shipping location was the hard part. | dannyw wrote: | Your fake credit card isn't going to have a balance. | TedDoesntTalk wrote: | It was and still is trivial to get stolen credit card | info that do have balances or credit available. | wolco wrote: | It didn't matter because in order to check someone had to | call and wait an hour so no one did in mail order | purchases/shopping networks because you had an address to | send the police to. | namibj wrote: | Ok, yeah, I see. Though, in that case, it's both a failure | on his side, as well as an utter failure on apple's side. | | Also, arguably, a plus for Google's stance on this: no | answers to questions, no access. Sue us. | em-bee wrote: | yup, i use gandi for that reason. they support payment from | anyone. it's especially convenient for volunteer community | sites. we don't depend on the person who registered the | domain and forgot to give access to others. | nathancahill wrote: | Very good to know. I use Gandi too, didn't realize I could | do that. | ChrisMarshallNY wrote: | It's always nice to hear about people doing the right thing. | Thanks for sharing the story. | spyc wrote: | Great move, kudos to Micheal! | kijin wrote: | According to the story, it took somewhere between 13 and 19 hours | for passport.com to resolve properly after he renewed it for | Microsoft. Is that normally how long it takes to reactivate a | domain name that has gone into a renewal grace period, or was | something different back then? | | Perhaps the NXDOMAIN response was cached by ISPs for an | especially long time because it was such a frequently visited | hostname? | orisho wrote: | NXDOMAIN is often cached for much longer because it's assumed | not to change soon. Sometimes, as in this case, that's a wrong | assumption. | DaiPlusPlus wrote: | I thought NXDOMAIN results were cached for as long as the TTL | in the parent SOA record? | yrro wrote: | For com. that's currently 24 hours! | DanielDent wrote: | It used to be that nameserver changes with TLDs were measured | in days, not minutes. Even today some TLDs continue to operate | this way. | evolve2k wrote: | What are reasonable timeframe expectations for nameserver | changes now? | DaiPlusPlus wrote: | That depends on the TTL of your DNS records. But if it's a | brand-new registration for a dot-com then I've found DNS | queries work within 3 minutes of me completing GoDaddy's | regustration (and using GoDaddy's DNS zone hosting) even | through my ISP's DNS servers (provided there's no cached | NXDOMAIN results). | DanielDent wrote: | The .com zone file is updated every few minutes. Caching | behaviours will vary significantly. Frequently a | significant fraction of traffic can be using new | nameservers within minutes, with a long tail of traffic | with older information. | | Each TLD does their own thing. For example, last time I | checked, .ca only seemed to be serving a new zone file | every few hours. How long new nameservers take will depend | on your luck in terms of where you are in their refresh | cycle. | [deleted] | swyx wrote: | perhaps the most surprising to me is the apparent willingness to | enter credit card info online in 1999. I wasn't around for this | period but wasn't the conventional wisdom back then that this was | insecure? hence PayPal? | mytailorisrich wrote: | In 1999 Amazon (for example) was already 5 years old and plenty | of people were using credit cards online. | | People who used mail orders before the internet might remember | that the options included sending a cheque along with the order | form or filling in your credit card details on the order form | (that's a paper form that you send in the post), and I think | that this is still the case. So I don't think that average | people really saw sending card details online any differently. | I even remember being asked for my card details by email! | CalRobert wrote: | It was fairly common. Paypal was around in 1999 (only just). | More remarkably it was common to mail a personal check or money | order for things on ebay and for the most part, it worked. | Symbiote wrote: | Average non-technical people used well-known companies, but | that included eBay and Amazon. | | Presumably Network Solutions was trusted by this customer of | theirs. | TedDoesntTalk wrote: | I could be wrong, but I think in 1999 Amazon was still only | selling books. Certainly they did not sell the variety of | goods they have now. | | There were thousands of online shops at the time, selling | everything that Amazon sells today, and it was common to | purchase from them using CC or PayPal. | gruturo wrote: | No, not at all? | | SSL had been around for 6 years already, credit card | transactions were quite common, especially with known, | reputable hosts (Network Solutions can be safely be assumed to | have qualified at the time) | TedDoesntTalk wrote: | Unfortunately, not all websites used https or enforced it on | pages that should have had it. It was very common to see | payment forms submitted over http. That is why browsers | evolved to the point where Chrome now won't submit certain | types of html form fields over non-https. | gruturo wrote: | I'm aware of it - even talked some people out of attempting | ecommerce without SSL about 20 years ago (not all | successfully). | | But the linked article specifically mentions an HTTPS link. | 0898 wrote: | Back then, I remember Internic let you register a domain and | you had 30 days to pay up, because people would commonly put a | cheque in the post ("mail a check.") | [deleted] | boomlinde wrote: | The general wisdom was (as it still is) that you couldn't trust | that anyone with a credit card form on their website would | honor your trust. In this case the recipient wasn't just anyone | with a credit card form on their website, but Network | Solutions. | nicky0 wrote: | Well we had https ("check for the lock icon") back then, you | could pay for plenty of things with credit cards online. Of | course there was some fear of it among the general public. | PayPal by no means invented online payments they just | popularised it. | ghaff wrote: | >PayPal by no means invented online payments they just | popularised it. | | I'm not sure it's even so much that PayPal "popularized" | online payments as it somewhat democratized them. When I had | a small side software business in the early to mid-90s, it | wasn't easy/cheap to get setup with a merchant credit card. | Mostly, people mailed me checks although at some point I | struck a deal with a local BBS operator/reseller for him to | take payments for me when necessary. | corford wrote: | Memory's hazy (it might have been a year or two before 1999) | but I remember in the UK buying a domain from Network Solutions | with a credit card but then I had to fax a signed document to | their US office to actually authenticate ownership. This wasn't | an automated anti-fraud thing like you might see today, it was | just standard procedure for on-line orders (or at least non-US | ones). | | But, yeah, paying on-line with credit cards was absolutely a | thing in 1999. | paulie_a wrote: | I regularly made normal payments for normal products such as | movies and nothing. It generally was considered safe. | ncmncm wrote: | Biggest anachronism is his mailing (maybe home) address and phone | number at the bottom. | raverbashing wrote: | > in addition to a new copy of Visual Studio 6.0 (which I need to | compile and run the decss program to decode my DVD's so that I | can play them under Linux) | | Why would you need VS6 to compile a program for Linux? | ArgyleSound wrote: | He was compiling a Windows program to decode his DVDs so that | he could play them on Linux | 0x0 wrote: | DeCSS was a windows-only program back in those days. | A_No_Name_Mouse wrote: | This happened in 1999/2000, maybe someone could add (2000) to the | title? ___________________________________________________________________ (page generated 2020-07-19 23:00 UTC)