Re: login.passport.net

From: Super_Geek (RichardFalconer_at_thepostmaster.net)
Date: 07/14/03 

Date: Mon, 14 Jul 2003 09:52:55 +0100

Mr. Worry asks a question to do with PCs, Super_Geek dives in and tries
to help:
>CASE1: Today, when I try to login to my hotmail as
>usual, a screen popped up showing:
>
>Revocation information for the security certificate for
>this site is not available. Do you want to proceed?
>
>I noticed that the certificate was issued to
>loginnet.passport.com i/o login.passport.net
>
>CASE2: I used a fake login name to further test it and
>accidentally discovered that the login mechanism was
>allowing me to login INFINITELY in case of wrong password
>input.
>
>Q1. Is loginnet.passport.com the same as
>login.passport.net/belongs to Microsoft? Will it be
>alright if I clicked 'yes' to proceed? (I'm scared that
>I'm under an man-in-the-middle attack)
>
>
>Q2. If the answer in Q1 is yes (meaning that I'm not
>under man-in-the-middle attack), will someone be able to
>launch a brute fore attack once he knows a login name to
>the hotmail account as well as passport.net?
>

Mr. Worry,
please relax. Your health is much more important than your email
account's security.
An expired certificate is nothing to panic about. Even MS takes time to
renew them. Just press "Yes".
As far as I am aware, MS never had a system where you were not able to
enter passwords infinitely. This is probably due to the limitations of
HTML. Ie, once a user has entered an incorrect password too many times,
the only way of recording it is with a cookie. The user could then
easily delete this and continue. I suppose you could do something fancy
with server side scripting to record the info there, but of course
simplicity is bliss.

I would presume that the two websites are the same. Microsoft tends to
buy all similar sounding domain names to all its legitimate websites.
However there is still a chance that one of them is a clone of the
other. Trawling through the source code will likely reveal subtle
differences. The clone website (if it is indeed a clone,) will likely
have some code to transmit entered passwords to a third-party. This
should stick out like a sore thumb.

Sorry to use so many cliche~s. They should be avoided like the plague.

HTH 

-- 
Super_Geek, 16
"How do I set a laser printer to stun?"
-My website is currently under construction, but I'll post a link here soon forFAQs.

Relevant Pages

  • Re: Problem in using pptp-linux
    ... pptp-linux" written by James Cameron. ... I have followed the instruction in this websites, however, I cannot ... login the vpn with my school. ... the following error messages occur: ...
    (Debian-User)
  • Re: Multiple Websites and Single Sign in
    ... should automicallly become the member of site2.com and site3.com. ... Anybody Please tell me how can i make a Login System(with 1000% ... security) which is available to mulitple websites. ... boolean flag in the database doesn't get updated until their session times ...
    (microsoft.public.dotnet.framework.aspnet)
  • Clearing "session state" of WebBrowser control
    ... I have a form that cycles through a bunch of websites, ... control on it, and navigates to the website, and automates loggin in, ... state" is being remembered as when I go to login as another person, ... manually, using IE browser outside of my application, closing the browser ...
    (microsoft.public.vsnet.general)
  • Blank screen
    ... any settings. ... websites after login as in the case of hotmail. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Any Internet Login & Media Player Not Working
    ... Every web site account that I have to login to ... For hotmail, after I enter my email and password I get a blank screen. ... For netscape, I go to the mail logon page and it is completely blank. ...
    (alt.comp.anti-virus)