Security Risks of New .zip and .mov Domains
Researchers are worried about Google’s .zip and .mov domains, because they are confusing. Mistaking a URL for a filename could be a security vulnerability.
Researchers are worried about Google’s .zip and .mov domains, because they are confusing. Mistaking a URL for a filename could be a security vulnerability.
Hauke • May 19, 2023 8:11 AM
I may be dating myself here, but I don’t remember a security issue with .com file types and domains.
The difference today, I would hazard a guess, is that the .com executable file isn’t common.
Cheers!
Chris • May 19, 2023 8:20 AM
@Hauke: there are issues with .com domains, but they are the other way around, in the form of people distributing malware that looks innocuous because it’s an executable called fun-website.com that people are tricked into running.
Morley • May 19, 2023 9:49 AM
The extensions turned out to be almost meaningless. Now mostly a way to make registrars more money, I think. Maybe “AOL keywords” had it right all along. Hah.
adao • May 19, 2023 10:27 AM
Mistaking a URL for a filename could be a security vulnerability.
This is not so much users mistaking it, but software. There’s a lot of software that makes mistakes by trying to be “helpful”. Like when we see a numbered list that goes 6, 7, (face with sunglasses), 9; or a reference to the ‘70s instead of the ’70s. Sometimes the behavior isn’t immediately visible. For example, if I highlight something Firefox thinks is a domain, like Chris’s reference to a “fun website” executable, the right-click menu will have several “open link” options—even though it’s not a link (I checked the HTML to verify). If even browser developers are so sloppy with the term “link”, can we be surprised if others don’t understand what they are and how they work?
It’s not much trouble to have to write brackets (for example) around a domain or URL to make it into a link. And I guess most people render HTML e-mails by default now, given that many mailers have stopped attaching a plaintext version. So, really, why should any software be trying to guess about what might be a domain name or filename? If it was meant to be a link, it would’ve been.
Roman Zenka • May 19, 2023 1:21 PM
John Levine • May 19, 2023 1:57 PM
These domains have been around since 2014. The only thing that’s new is that Google has made it easier to register in them.
But we should put the blame where it belongs, on Microsoft Windows which invented the terrible idea of recognizing executable files by their names, rather than by their contents as every sensible system does.
PattiM • May 19, 2023 2:59 PM
I’ve been around since before MS – it’s amazing to me that they’ve maintained the art of quite bad security for so many decades – while making people think they’re a good idea (as in, good at what they’re doing/selling).
David Leppik • May 19, 2023 3:50 PM
MS Windows inherited that from MS-DOS, which inherited it from CP/M, which inherited it from mainframes. At which point you’re talking about what makes sense for a punchcard-based system, where the tradeoffs are totally different from a global, internet-connected world.
Classic MacOS had a metadata fork for every file built into the filesystem. Problem is, that causes problems when you transfer files to and from non-metadata filesystems. They abandoned it when they replaced Classic with OpenSTEP.
Jim • May 20, 2023 5:41 AM
Like often, its kinda blown out of proportion. As well as the whole “Windows identifies executables by extension” which people cry so much about. No that itself is not the issue, the issue is people want comfort. And you can only take so much of that away, until they stop using your product.
There is reasons linux is still a niche product on desktops. It lacks comfort.
Woo • May 24, 2023 9:16 AM
The problem is that we’ve educated users for decades to look at the domain when downloading stuff etc.. and now the problem shifts elsewhere.
https://example.com/downloads/firmware/toaster-update.zip vs.
https://example.com/downloads/firmware/@toaster-update.zip
Google could probably start criminal investigation into everyone who registers a .zip domain.. the number of legitimate uses for those is tiny, and the appeal for scammers is huge.
lurker • May 24, 2023 8:10 PM
If only crims will benefit from these TLDs, then who will benefit from G’s trick of “Look, No Password, your device is your access token”?
Do No Evil must have been only a marketing slogan, not a mission statement.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bob Paddock • May 19, 2023 7:57 AM
The popular file archiver 7-Zip has already moved in at
‘seven.zip