.zip TLD
Christina Yeh (tweet, via Hacker News):
Google Registry has launched some of the most popular (and secure) top-level domains, such as .app and .dev. Today, we’re adding eight new extensions to the internet: .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus.
Terence Eden (via Hacker News):
Many years ago, Google applied for the .zip Top Level Domain. ICANN, in its infinite wisdom, granted it. And now, I think, bad things are going to happen.
[…]
So what happens when things which are not domain names look like they are domain names? I’ve been worrying about this for a few years[…] Anyway, have fun determining if the link you see was ever intended to link to a website!
He’s referring to confusion over the .zip filename extension for compressed archives. Amazingly, the original idea for the TLD was in reference to the Iomega Zip drive.
Karen West (via Hacker News):
You can now purchase .zip and .mov domain names, like the one this page resides on! Isn’t that just fun for the entire family?
[…]
For decades engineers have been working hard to try and make the internet less susceptible to phishing attacks, look-alike domains, etc., and now money men have decided to unravel that work so somebody can purchase anyword.zip as a domain name.
Previously:
Update (2023-05-18): Ezekiel Elin:
I’ve seen points claiming that apps will auto link something like
document.zip
and then a scammer could pre-emptively have created a scam website - but I feel like most systems don’t auto link withouthttp(s)://
and when they do it’s usually just.com/.org
Martin Brinkmann (via Sören):
The .zip extension allows cyber criminals to run phishing campaigns that abuse the fact that .zip is a popular file extension and also a top level domain.
Domains such as officeupdate.zip or microsoft-office.zip have already been used in phishing campaigns. The latter is still online but safe browsing should warn users prior to accessing the site in question. Several of the registered domains could be used in phishing campaigns, while others may be used for legitimate purposes.
[…]
Some applications may attach hyperlinks to ZIP file names now, which may lead to the firing of DNS queries and the leaking of information to the .zip domain.
The ICSS recommends to disable access to .zip domains entirely until the dust settles and risks can be accessed.
Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?
[…]
As you can see in the breakdown of a URL below, everything between the scheme
https://
and the@
operator is treated as user info, and everything after the@
operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.
7 Comments RSS · Twitter · Mastodon
While I tend to share the general sentiment, I think these fears are spitting into the wind. Domain names and filenames might look similar but are in different… uh… domains, and so has been the case forever. One could have made the same argument nearly 40 years ago with ".com" vis-a-vis the MS DOS executable extension. Nothing about ".zip" is unique here, other than the ubiquity of the archive format. Cynical as it may be, my feeling is this presents an inevitable opportunity for people to learn, and to hone their ability to discern.
Here's a short article with an example how pretend slashes (and as expected, the at-sign) may be used to confuse about 99.9% of internet users: https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5
Ironically that same link shows how most people are probably completely used to at-signs in URLs now.
Homograph attacks are still a problem. Shocker.
I think the reaction is overblown. Certainly, it speaks to a very real attack, but unfortunately it's not one with a simple solution. In this case I think excluding troublesome code points (looking like "/") from domain names presented unaltered by browsers would be an excellent start, but ultimately we need a more general approach to safely rendering such names, at least in English-speaking markets. (VoiceOver, of course, makes it easy for me to tell these code points apart; I might not be the most objective commentator.)
I'm with the cynics. The actual usefulness of a .zip domain is not obvious, and its potential for malware spreading is considerable. I had thought Google had more sense, but clearly not.
I had, unsuccessfully, attempted to appeal to the Unicode Consortium to include a "Delimiter" set. Seems to me that if things like URLs/URIs were delimited with very specific, non-repeated character codes, the nonsense of homograph attacks could largely be allayed. (And, of course, it could greatly help cross-platform filesystem transactions as well as CSV/TSV interchange.) While an operating system/browser would be free to represent the delimiters in any way their creators see fit, as long as the OS was Unicode capable, the URL would be transmitted with built-in, standardized "breaks" that would facilitate inspection. Even down to things like the "." between a filename and a extension. (And, yeah, don't even get me started on how brain-dead of a concept that whole thing is to begin with… we're so stupid as a people, and "filename extensions" are proof.) Because right now, looking at various examples of code for URL inspection/explosion can make your eyes cross and your brain shutdown. And this is going to make it worse.
I kind of feel like the problem is the other way around. People see a .zip in the link, they simply won't click on it even if it's a domain and not a file. I can't imagine .zip domains will ever become popular enough to overtake .zip files in notoriety.
Bozo idea either way.
[…] heads keep .jpg, .gif, .pdf, and .exe out of the complete list of top-level domains. Amusingly, Michael Tsai points out that the .zip proposal originally referred to Iomega’s now-defunct Zip drives. Sadly, it […]