Researchers are debating how the new domains will affect web security and users' habits:
In Google's own words, new generic top-level domains (gTLDs) can help self-expression, creativity and business. The previously approved list of "hundreds" of gTLDs entries now provides some troublesome additions such as "zip" and "mov," which can (and will) be abused to target users with sophisticated phishing attacks.
Google Registry has recently introduced 8 new top-level domains for "dads, grads, and techies," adding .dad, .phd, .prof, .esq, .foo, .nexus, .zip, and .mov to its growing list of some of the "most popular" gTLDs which also include .app and .dev. The .zip and .mov domains, however, have sparked a debate among experts about their potential consequences on internet and web overall security.
The zip and mov gTLDs were available in IANA's DNS records since 2014, but they have now become generally available thanks to Google's involvement. Now, anyone can purchase a ".zip" or ".mov" domain like "techspot.zip," even though the two suffixes have long been used to identify compressed file archives in Zip format and video clip files.
The overlap between two, extremely popular file formats – the Zip standard was created by Pkware in 1989, 34 years ago – and the recently registered web domains will bring new security threats to the internet ecosystem, some researchers said. Users could be deceived by malicious URLs shared on social networks or by mail, giving cyber-criminals new, "creative" tools to push malware installations, phishing campaigns or other nefarious activities.
As zip and mov are now two generally approved TLDs, internet services and mobile apps will be essentially forced to treat text snippets such as "test.zip" or "test.mov" like proper URLs to open in a web browser. Cyber-criminals have already started to exploit the new gTLDs, with a now-defunct phishing page at "microsoft-office.zip" designed to try and steal Microsoft Account credentials.
New exploit tactics conceived by security researchers include the ability to use Unicode characters and the "@" symbol for user identification as a creative way to share malicious URLs that looks like legitimate internet addresses. The "creative" internet conceived by Google as a new form of expression and business is more insecure than ever, it seems.
The debate among security experts is still ongoing, though, as some developers don't share the same "doom and gloom" sentiment about the new gTLDs. Microsoft Edge programmer Eric Lawrence said on Twitter that the level of fear-mongering about .zip and .mov domains is "just comical." Google highlighted how the risk of confusion between domains and file names is not a new one, and that Google Registry provides the tools needed to suspend or remove malicious domains across all of the TLDs the company controls.
(Score: 5, Insightful) by VLM on Friday May 19 2023, @06:17PM
They need a .slash TLD
Although in reality other than hoovering up money to "protect trademarks" and appearing in a lot of spam, there's little justification for TLDs existing, so its lame they keep making them.
(Score: 5, Interesting) by SomeGuy on Friday May 19 2023, @06:41PM (4 children)
So, just to be fair, can we get other extensions like .7z, .rar, .arc, or .tar? With all the ".com"s I always thought there should be a ".exe".
Who wouldn't want a ".fuck" or ".shit" top level domain?
An ".alt" domain for old usenet fans?
Internally, I think Google is planning for ".money" ".moremoney", and ".moremoremoney" domains.
Everyone loves AI so much, create ".AI" top level domains just for your new rape-all-humans AI bots.
Or just create any vanity domain anyone wants. Get your ".bobjohnson" tld while it is available!
"enougha.dat"
(Score: 5, Informative) by janrinok on Friday May 19 2023, @06:49PM
Someone has already beaten you to it.
There are several AI sites using the .ai tld. It belongs to Anguilla.
(Score: 2) by inertnet on Friday May 19 2023, @09:36PM (1 child)
If TLD's had been affordable, I would have applied for .orbit (or .leo), .moon, .mars, .venus and the rest of the solar system.
(Score: 0) by Anonymous Coward on Saturday May 20 2023, @04:18PM
I tried .here
https://datatracker.ietf.org/doc/html/draft-yeoh-tldhere-01 [ietf.org]
I wasn't rich enough to spend >= USD100,000 just to apply for the TLD (with no guarantee of getting it) only to give it to the world, so I tried via other ways - RFC etc but it didn't work. ICANN was more interested in YetAnotherDotComs like .info and .biz.
I'm biased of course but I think my proposed usage has a lot more merit than .zip
(Score: 2) by jb on Sunday May 21 2023, @05:11AM
Hey, some of us still use compress(1). So how come we don't get a .Z too?
(Score: 4, Informative) by Spamalope on Friday May 19 2023, @07:25PM
From a tech discord - one user is seeing email exploits pointing to web pages with a payload using '@' in what otherwise appears to be a valid, safe URL
(Score: 3, Touché) by darkfeline on Friday May 19 2023, @07:58PM
What is the problem here? That the gTLDs were added in 2014? That a provider is now selling them? That Google specifically is selling them? That end user client UX's are confusing?
Personally, I don't see the problem (and I haven't seen a .mov file in god knows when).
Join the SDF Public Access UNIX System today!
(Score: 3, Interesting) by istartedi on Friday May 19 2023, @08:00PM
Hopefully they'll disable those by default. I can't for the life of me imagine what I'm going to want from a site .zip or .mov TLD. If nothing else, this will be an easy plug-in for somebody to write, but lots of wasted effort on firewall policies everywhere.
Seriously, even .biz kind of made sense, but when was the last time I went to one of those and got something useful? Anybody?
We're not talking IPv4 here. There's no shortage of namespace. You could probably register a domain name for every tree on the planet with what we've got.
Appended to the end of comments you post. Max: 120 chars.
(Score: 5, Insightful) by PinkyGigglebrain on Friday May 19 2023, @08:16PM
sounds like it is time to add a few more lines to my /etc/host and firewall rules.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2) by deimtee on Friday May 19 2023, @09:17PM (3 children)
Why haven't they added a .dark for the dark web and .deep for the deep web?
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 0) by Anonymous Coward on Friday May 19 2023, @10:06PM
Too obvious. They can hide better on .net
(Score: 2) by janrinok on Saturday May 20 2023, @07:50AM
Perhaps nobody was prepared to pay the minimum bidding priced demanded by those in control.
(Score: 2) by Thexalon on Saturday May 20 2023, @11:02AM
Because using those would function much like the proposed solution to malware in RFC 3514 [ietf.org], which was never widely adopted?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Funny) by Mojibake Tengu on Friday May 19 2023, @11:20PM
Best top ever.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 3, Insightful) by jb on Saturday May 20 2023, @04:41AM
If your operating system decides what a file is supposed to contain based solely on its name, then it's long past time to throw it away and install something that wasn't designed by a complete fool.
I'm no fan of Google at all, but in this particular case the fault does not lie with Google. It lies squarely with Microsoft.
(Score: 3, Interesting) by Rosco P. Coltrane on Saturday May 20 2023, @08:44AM
Anything that's not a traditional ,net, .com, .co.something, gov, mil or a country TLD tells me one of 3 things:
- Phishing attempt or sketchy URL or email address
- Marketrdroid trying to be clever
- Something to block in uBlock Origin (most notable, anything that ends in .goog)
I almost always treat fancy TLDs as an excellent indication to steer clear what whatever's behind it. Very convenient.