On Thu, 25 Apr 1996, Lee Fisher wrote:
I was curious about the below message, and checked...
MSN uses CHAP (PPP's challenge-response handshake) for network layer authetication, and NTLM (Windows NT's challenge-response handshake) for application-layer authentication. The password is never sent in across the network. Challenge-responses encrypted with the password are sent.
Thanks; that's what I thought. Never believe anything you're told by tech support. It was pretty clear to me that the poor undereducated sod had the words "compression" and "encryption" confused. NTLM isn't perfect, but it's difficult enough to be secure enough for MSN. You're not doing anything IMPORTANT on MSN, are you? Due to Win95's open memory model, there's probably some system call that a virus/trojan can use to ask politely for the username and password; in fact, isn't it the same API that has already been demonstrated? But if you let such a beast on your machine, all bets are off anyway. -rich