The Passport Payment (2000) (opens in new tab)

(web.archive.org)

209 pointscsapdani5y ago52 comments

52 comments

Could you imagine doing this today? You'd probably get lawyers making you sign agreements saying your payment of the domain renewal is not a ownership interest in the domain and threatening to take you to court for renewing their domain.

dewey5y ago

I actually think it would be the opposite now. Things like bug bounties or a huge PR problem by the affected problem posting it on Twitter are new things. It was more prevalent to send lawyers for accessing public but not meant to be public URLs back in the days than it's now.

SMAAART5y ago

And - of course - the same lawyers would bill MSFT $5,000

kijin5y ago

According to the story, it took somewhere between 13 and 19 hours for passport.com to resolve properly after he renewed it for Microsoft. Is that normally how long it takes to reactivate a domain name that has gone into a renewal grace period, or was something different back then?

Perhaps the NXDOMAIN response was cached by ISPs for an especially long time because it was such a frequently visited hostname?

DanielDent5y ago

It used to be that nameserver changes with TLDs were measured in days, not minutes. Even today some TLDs continue to operate this way.

evolve2k5y ago

What are reasonable timeframe expectations for nameserver changes now?

3 more replies

orisho5y ago

NXDOMAIN is often cached for much longer because it's assumed not to change soon. Sometimes, as in this case, that's a wrong assumption.

DaiPlusPlus5y ago

I thought NXDOMAIN results were cached for as long as the TTL in the parent SOA record?

1 more reply

terenceng20105y ago

Try to go passport.com nowadays. It redirects you to Bing and search "passport" as result. Handy.

calvinmorrison5y ago

I had an issue with my router which now uses myfiosgateway.com as the router config though it is hosted on the router (presumably so it can serve https?) And mark monitor showed up with a big "this is the actual internet so you don't wanna visit it" page when I was routed to the actual .com, kinda similar

raverbashing5y ago

> in addition to a new copy of Visual Studio 6.0 (which I need to compile and run the decss program to decode my DVD's so that I can play them under Linux)

Why would you need VS6 to compile a program for Linux?

ArgyleSound5y ago

He was compiling a Windows program to decode his DVDs so that he could play them on Linux

0x05y ago

DeCSS was a windows-only program back in those days.

Lammy5y ago

Also, because it's a joke and is funny :p

StavrosK5y ago

I'm confused, how did he pay for someone else's domain? Was there no authentication?

hadrien015y ago

You can renew a domain without being authenticated, but you won't be able to take ownership of it. It's useful if you can't find your login details and are in a hurry.

StavrosK5y ago

Oh huh, I didn't know that, thanks.

namibj5y ago

Back then, control was authenticated as necessary for the proper functioning, but even today I see no reason why renewal should have to be gated behind login walls. Actually, I'd even prefer it not to be, because you might, in a pinch, be prevented from paying for them yourself electronically, having to call in a favor and promise to pay back as soon as you see that friend.

Or you just prefer to pay someone cash for them to top up your domain, because you don't like mixing money and the internet, but have e.g. a personal domain for email.

jedimastert5y ago

> even today I see no reason why renewal should have to be gated behind login walls.

This actually reminds me on a somewhat interesting social engineering "vulnerability" a little while back[0].

1. The hacker would call into Amazon and say that the website was acting up and they needed to add a card to the victim's account. It wouldn't take much effort because why would it?

2. The hacker'd call right back and say that "their" email had been compromised and they needed to change it/add a new one and reset the password. You supply the card you just gave (and name/billing address, but those aren't too hard to find)

3. Use that to hop on to the account and grab the last 4 digits of the victim's real card.

You now have the victim's billing address and last 4 of a credit card. A surprising amount of authentication power.

I think the lesson here is if it can be privileged information, it is. Even if it's privileged for someone else.

[0]: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

2 more replies

em-bee5y ago

yup, i use gandi for that reason. they support payment from anyone. it's especially convenient for volunteer community sites. we don't depend on the person who registered the domain and forgot to give access to others.

1 more reply

TazeTSchnitzel5y ago

In the UK, student loan payments can be made online without authentication: if you know the right details, it just works. Which was convenient for me, because I have never managed to log into my account.

jtl9995y ago

There are other registrars that support paying for an arbitrary domain without having ownership.

1 more reply

swyx5y ago

perhaps the most surprising to me is the apparent willingness to enter credit card info online in 1999. I wasn't around for this period but wasn't the conventional wisdom back then that this was insecure? hence PayPal?

boomlinde5y ago

The general wisdom was (as it still is) that you couldn't trust that anyone with a credit card form on their website would honor your trust. In this case the recipient wasn't just anyone with a credit card form on their website, but Network Solutions.

gruturo5y ago

No, not at all?

SSL had been around for 6 years already, credit card transactions were quite common, especially with known, reputable hosts (Network Solutions can be safely be assumed to have qualified at the time)

TedDoesntTalk5y ago

Unfortunately, not all websites used https or enforced it on pages that should have had it. It was very common to see payment forms submitted over http. That is why browsers evolved to the point where Chrome now won’t submit certain types of html form fields over non-https.

1 more reply

mytailorisrich5y ago

In 1999 Amazon (for example) was already 5 years old and plenty of people were using credit cards online.

People who used mail orders before the internet might remember that the options included sending a cheque along with the order form or filling in your credit card details on the order form (that's a paper form that you send in the post), and I think that this is still the case. So I don't think that average people really saw sending card details online any differently. I even remember being asked for my card details by email!

corford5y ago

Memory's hazy (it might have been a year or two before 1999) but I remember in the UK buying a domain from Network Solutions with a credit card but then I had to fax a signed document to their US office to actually authenticate ownership. This wasn't an automated anti-fraud thing like you might see today, it was just standard procedure for on-line orders (or at least non-US ones).

But, yeah, paying on-line with credit cards was absolutely a thing in 1999.

08985y ago

Back then, I remember Internic let you register a domain and you had 30 days to pay up, because people would commonly put a cheque in the post ("mail a check.")

1 more reply

Symbiote5y ago

Average non-technical people used well-known companies, but that included eBay and Amazon.

Presumably Network Solutions was trusted by this customer of theirs.

TedDoesntTalk5y ago

I could be wrong, but I think in 1999 Amazon was still only selling books. Certainly they did not sell the variety of goods they have now.

There were thousands of online shops at the time, selling everything that Amazon sells today, and it was common to purchase from them using CC or PayPal.

nicky05y ago

Well we had https ("check for the lock icon") back then, you could pay for plenty of things with credit cards online. Of course there was some fear of it among the general public. PayPal by no means invented online payments they just popularised it.

ghaff5y ago

>PayPal by no means invented online payments they just popularised it.

I'm not sure it's even so much that PayPal "popularized" online payments as it somewhat democratized them. When I had a small side software business in the early to mid-90s, it wasn't easy/cheap to get setup with a merchant credit card. Mostly, people mailed me checks although at some point I struck a deal with a local BBS operator/reseller for him to take payments for me when necessary.

CalRobert5y ago

It was fairly common. Paypal was around in 1999 (only just). More remarkably it was common to mail a personal check or money order for things on ebay and for the most part, it worked.

paulie_a5y ago

I regularly made normal payments for normal products such as movies and nothing. It generally was considered safe.

ChrisMarshallNY5y ago

It’s always nice to hear about people doing the right thing. Thanks for sharing the story.

ncmncm5y ago

Biggest anachronism is his mailing (maybe home) address and phone number at the bottom.

spyc5y ago

Great move, kudos to Micheal!

A_No_Name_Mouse5y ago

This happened in 1999/2000, maybe someone could add (2000) to the title?

j / k navigate · click thread line to collapse

52 comments

dannyw5y ago

dewey5y ago

SMAAART5y ago

And - of course - the same lawyers would bill MSFT $5,000

kijin5y ago

Perhaps the NXDOMAIN response was cached by ISPs for an especially long time because it was such a frequently visited hostname?

DanielDent5y ago

It used to be that nameserver changes with TLDs were measured in days, not minutes. Even today some TLDs continue to operate this way.

evolve2k5y ago

What are reasonable timeframe expectations for nameserver changes now?

3 more replies

orisho5y ago

NXDOMAIN is often cached for much longer because it's assumed not to change soon. Sometimes, as in this case, that's a wrong assumption.

DaiPlusPlus5y ago

I thought NXDOMAIN results were cached for as long as the TTL in the parent SOA record?

1 more reply

terenceng20105y ago

Try to go passport.com nowadays. It redirects you to Bing and search "passport" as result. Handy.

calvinmorrison5y ago

raverbashing5y ago

> in addition to a new copy of Visual Studio 6.0 (which I need to compile and run the decss program to decode my DVD's so that I can play them under Linux)

Why would you need VS6 to compile a program for Linux?

ArgyleSound5y ago

He was compiling a Windows program to decode his DVDs so that he could play them on Linux

0x05y ago

DeCSS was a windows-only program back in those days.

Lammy5y ago

Also, because it's a joke and is funny :p

StavrosK5y ago

I'm confused, how did he pay for someone else's domain? Was there no authentication?

hadrien015y ago

You can renew a domain without being authenticated, but you won't be able to take ownership of it. It's useful if you can't find your login details and are in a hurry.

StavrosK5y ago

Oh huh, I didn't know that, thanks.

namibj5y ago

Or you just prefer to pay someone cash for them to top up your domain, because you don't like mixing money and the internet, but have e.g. a personal domain for email.

jedimastert5y ago

> even today I see no reason why renewal should have to be gated behind login walls.

This actually reminds me on a somewhat interesting social engineering "vulnerability" a little while back[0].

1. The hacker would call into Amazon and say that the website was acting up and they needed to add a card to the victim's account. It wouldn't take much effort because why would it?

3. Use that to hop on to the account and grab the last 4 digits of the victim's real card.

You now have the victim's billing address and last 4 of a credit card. A surprising amount of authentication power.

I think the lesson here is if it can be privileged information, it is. Even if it's privileged for someone else.

[0]: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

2 more replies

em-bee5y ago

1 more reply

TazeTSchnitzel5y ago

jtl9995y ago

There are other registrars that support paying for an arbitrary domain without having ownership.

1 more reply

swyx5y ago

boomlinde5y ago

gruturo5y ago

No, not at all?

SSL had been around for 6 years already, credit card transactions were quite common, especially with known, reputable hosts (Network Solutions can be safely be assumed to have qualified at the time)

TedDoesntTalk5y ago

1 more reply

mytailorisrich5y ago

In 1999 Amazon (for example) was already 5 years old and plenty of people were using credit cards online.

corford5y ago

But, yeah, paying on-line with credit cards was absolutely a thing in 1999.

08985y ago

Back then, I remember Internic let you register a domain and you had 30 days to pay up, because people would commonly put a cheque in the post ("mail a check.")

1 more reply

Symbiote5y ago

Average non-technical people used well-known companies, but that included eBay and Amazon.

Presumably Network Solutions was trusted by this customer of theirs.

TedDoesntTalk5y ago

I could be wrong, but I think in 1999 Amazon was still only selling books. Certainly they did not sell the variety of goods they have now.

There were thousands of online shops at the time, selling everything that Amazon sells today, and it was common to purchase from them using CC or PayPal.

nicky05y ago

ghaff5y ago

>PayPal by no means invented online payments they just popularised it.

CalRobert5y ago

It was fairly common. Paypal was around in 1999 (only just). More remarkably it was common to mail a personal check or money order for things on ebay and for the most part, it worked.

paulie_a5y ago

I regularly made normal payments for normal products such as movies and nothing. It generally was considered safe.

ChrisMarshallNY5y ago

It’s always nice to hear about people doing the right thing. Thanks for sharing the story.

ncmncm5y ago

Biggest anachronism is his mailing (maybe home) address and phone number at the bottom.

spyc5y ago

Great move, kudos to Micheal!

A_No_Name_Mouse5y ago

This happened in 1999/2000, maybe someone could add (2000) to the title?

j / k navigate · click thread line to collapse