Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday May 19 2023, @05:58PM   Printer-friendly

Researchers are debating how the new domains will affect web security and users' habits:

In Google's own words, new generic top-level domains (gTLDs) can help self-expression, creativity and business. The previously approved list of "hundreds" of gTLDs entries now provides some troublesome additions such as "zip" and "mov," which can (and will) be abused to target users with sophisticated phishing attacks.

Google Registry has recently introduced 8 new top-level domains for "dads, grads, and techies," adding .dad, .phd, .prof, .esq, .foo, .nexus, .zip, and .mov to its growing list of some of the "most popular" gTLDs which also include .app and .dev. The .zip and .mov domains, however, have sparked a debate among experts about their potential consequences on internet and web overall security.

The zip and mov gTLDs were available in IANA's DNS records since 2014, but they have now become generally available thanks to Google's involvement. Now, anyone can purchase a ".zip" or ".mov" domain like "techspot.zip," even though the two suffixes have long been used to identify compressed file archives in Zip format and video clip files.

The overlap between two, extremely popular file formats – the Zip standard was created by Pkware in 1989, 34 years ago – and the recently registered web domains will bring new security threats to the internet ecosystem, some researchers said. Users could be deceived by malicious URLs shared on social networks or by mail, giving cyber-criminals new, "creative" tools to push malware installations, phishing campaigns or other nefarious activities.

As zip and mov are now two generally approved TLDs, internet services and mobile apps will be essentially forced to treat text snippets such as "test.zip" or "test.mov" like proper URLs to open in a web browser. Cyber-criminals have already started to exploit the new gTLDs, with a now-defunct phishing page at "microsoft-office.zip" designed to try and steal Microsoft Account credentials.

New exploit tactics conceived by security researchers include the ability to use Unicode characters and the "@" symbol for user identification as a creative way to share malicious URLs that looks like legitimate internet addresses. The "creative" internet conceived by Google as a new form of expression and business is more insecure than ever, it seems.

The debate among security experts is still ongoing, though, as some developers don't share the same "doom and gloom" sentiment about the new gTLDs. Microsoft Edge programmer Eric Lawrence said on Twitter that the level of fear-mongering about .zip and .mov domains is "just comical." Google highlighted how the risk of confusion between domains and file names is not a new one, and that Google Registry provides the tools needed to suspend or remove malicious domains across all of the TLDs the company controls.

See also: https://arstechnica.com/information-technology/2023/05/critics-say-googles-new-zip-and-mov-domains-will-be-a-boon-to-scammers/


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by VLM on Friday May 19 2023, @06:17PM

    by VLM (445) on Friday May 19 2023, @06:17PM (#1307044)

    They need a .slash TLD

    Although in reality other than hoovering up money to "protect trademarks" and appearing in a lot of spam, there's little justification for TLDs existing, so its lame they keep making them.

  • (Score: 5, Interesting) by SomeGuy on Friday May 19 2023, @06:41PM (4 children)

    by SomeGuy (5632) on Friday May 19 2023, @06:41PM (#1307048)

    So, just to be fair, can we get other extensions like .7z, .rar, .arc, or .tar? With all the ".com"s I always thought there should be a ".exe".

    Who wouldn't want a ".fuck" or ".shit" top level domain?

    An ".alt" domain for old usenet fans?

    Internally, I think Google is planning for ".money" ".moremoney", and ".moremoremoney" domains.

    Everyone loves AI so much, create ".AI" top level domains just for your new rape-all-humans AI bots.

    Or just create any vanity domain anyone wants. Get your ".bobjohnson" tld while it is available!

    "enougha.dat"

    • (Score: 5, Informative) by janrinok on Friday May 19 2023, @06:49PM

      by janrinok (52) Subscriber Badge on Friday May 19 2023, @06:49PM (#1307050) Journal

      Someone has already beaten you to it.

      There are several AI sites using the .ai tld. It belongs to Anguilla.

      --
      I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
    • (Score: 2) by inertnet on Friday May 19 2023, @09:36PM (1 child)

      by inertnet (4071) on Friday May 19 2023, @09:36PM (#1307070) Journal

      If TLD's had been affordable, I would have applied for .orbit (or .leo), .moon, .mars, .venus and the rest of the solar system.

      • (Score: 0) by Anonymous Coward on Saturday May 20 2023, @04:18PM

        by Anonymous Coward on Saturday May 20 2023, @04:18PM (#1307151)

        I tried .here

        https://datatracker.ietf.org/doc/html/draft-yeoh-tldhere-01 [ietf.org]

        I wasn't rich enough to spend >= USD100,000 just to apply for the TLD (with no guarantee of getting it) only to give it to the world, so I tried via other ways - RFC etc but it didn't work. ICANN was more interested in YetAnotherDotComs like .info and .biz.

        I'm biased of course but I think my proposed usage has a lot more merit than .zip

    • (Score: 2) by jb on Sunday May 21 2023, @05:11AM

      by jb (338) on Sunday May 21 2023, @05:11AM (#1307200)

      So, just to be fair, can we get other extensions like .7z, .rar, .arc, or .tar? With all the ".com"s I always thought there should be a ".exe".

      Hey, some of us still use compress(1). So how come we don't get a .Z too?

  • (Score: 4, Informative) by Spamalope on Friday May 19 2023, @07:25PM

    by Spamalope (5233) on Friday May 19 2023, @07:25PM (#1307052) Homepage

    From a tech discord - one user is seeing email exploits pointing to web pages with a payload using '@' in what otherwise appears to be a valid, safe URL

  • (Score: 3, Touché) by darkfeline on Friday May 19 2023, @07:58PM

    by darkfeline (1030) on Friday May 19 2023, @07:58PM (#1307056) Homepage

    What is the problem here? That the gTLDs were added in 2014? That a provider is now selling them? That Google specifically is selling them? That end user client UX's are confusing?

    Personally, I don't see the problem (and I haven't seen a .mov file in god knows when).

    --
    Join the SDF Public Access UNIX System today!
  • (Score: 3, Interesting) by istartedi on Friday May 19 2023, @08:00PM

    by istartedi (123) on Friday May 19 2023, @08:00PM (#1307057) Journal

    Hopefully they'll disable those by default. I can't for the life of me imagine what I'm going to want from a site .zip or .mov TLD. If nothing else, this will be an easy plug-in for somebody to write, but lots of wasted effort on firewall policies everywhere.

    Seriously, even .biz kind of made sense, but when was the last time I went to one of those and got something useful? Anybody?

    We're not talking IPv4 here. There's no shortage of namespace. You could probably register a domain name for every tree on the planet with what we've got.

    --
    Appended to the end of comments you post. Max: 120 chars.
  • (Score: 5, Insightful) by PinkyGigglebrain on Friday May 19 2023, @08:16PM

    by PinkyGigglebrain (4458) on Friday May 19 2023, @08:16PM (#1307059)

    sounds like it is time to add a few more lines to my /etc/host and firewall rules.

    --
    "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
  • (Score: 2) by deimtee on Friday May 19 2023, @09:17PM (3 children)

    by deimtee (3272) on Friday May 19 2023, @09:17PM (#1307067) Journal

    Why haven't they added a .dark for the dark web and .deep for the deep web?

    --
    If you cough while drinking cheap red wine it really cleans out your sinuses.
    • (Score: 0) by Anonymous Coward on Friday May 19 2023, @10:06PM

      by Anonymous Coward on Friday May 19 2023, @10:06PM (#1307074)

      Too obvious. They can hide better on .net

    • (Score: 2) by janrinok on Saturday May 20 2023, @07:50AM

      by janrinok (52) Subscriber Badge on Saturday May 20 2023, @07:50AM (#1307104) Journal

      Perhaps nobody was prepared to pay the minimum bidding priced demanded by those in control.

      --
      I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
    • (Score: 2) by Thexalon on Saturday May 20 2023, @11:02AM

      by Thexalon (636) on Saturday May 20 2023, @11:02AM (#1307122)

      Because using those would function much like the proposed solution to malware in RFC 3514 [ietf.org], which was never widely adopted?

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 3, Funny) by Mojibake Tengu on Friday May 19 2023, @11:20PM

    by Mojibake Tengu (8598) on Friday May 19 2023, @11:20PM (#1307078) Journal

    Best top ever.

    --
    Rust programming language offends both my Intelligence and my Spirit.
  • (Score: 3, Insightful) by jb on Saturday May 20 2023, @04:41AM

    by jb (338) on Saturday May 20 2023, @04:41AM (#1307100)

    ...even though the two suffixes have long been used to identify compressed file archives in Zip format and video clip files.

    If your operating system decides what a file is supposed to contain based solely on its name, then it's long past time to throw it away and install something that wasn't designed by a complete fool.

    I'm no fan of Google at all, but in this particular case the fault does not lie with Google. It lies squarely with Microsoft.

  • (Score: 3, Interesting) by Rosco P. Coltrane on Saturday May 20 2023, @08:44AM

    by Rosco P. Coltrane (4757) on Saturday May 20 2023, @08:44AM (#1307108)

    Anything that's not a traditional ,net, .com, .co.something, gov, mil or a country TLD tells me one of 3 things:

    - Phishing attempt or sketchy URL or email address
    - Marketrdroid trying to be clever
    - Something to block in uBlock Origin (most notable, anything that ends in .goog)

    I almost always treat fancy TLDs as an excellent indication to steer clear what whatever's behind it. Very convenient.

(1)