Comments

Hauke May 19, 2023 8:11 AM

I may be dating myself here, but I don’t remember a security issue with .com file types and domains.

The difference today, I would hazard a guess, is that the .com executable file isn’t common.

Cheers!

Chris May 19, 2023 8:20 AM

@Hauke: there are issues with .com domains, but they are the other way around, in the form of people distributing malware that looks innocuous because it’s an executable called fun-website.com that people are tricked into running.

Morley May 19, 2023 9:49 AM

The extensions turned out to be almost meaningless. Now mostly a way to make registrars more money, I think. Maybe “AOL keywords” had it right all along. Hah.

adao May 19, 2023 10:27 AM

Mistaking a URL for a filename could be a security vulnerability.

This is not so much users mistaking it, but software. There’s a lot of software that makes mistakes by trying to be “helpful”. Like when we see a numbered list that goes 6, 7, (face with sunglasses), 9; or a reference to the ‘70s instead of the ’70s. Sometimes the behavior isn’t immediately visible. For example, if I highlight something Firefox thinks is a domain, like Chris’s reference to a “fun website” executable, the right-click menu will have several “open link” options—even though it’s not a link (I checked the HTML to verify). If even browser developers are so sloppy with the term “link”, can we be surprised if others don’t understand what they are and how they work?

It’s not much trouble to have to write brackets (for example) around a domain or URL to make it into a link. And I guess most people render HTML e-mails by default now, given that many mailers have stopped attaching a plaintext version. So, really, why should any software be trying to guess about what might be a domain name or filename? If it was meant to be a link, it would’ve been.

John Levine May 19, 2023 1:57 PM

These domains have been around since 2014. The only thing that’s new is that Google has made it easier to register in them.

But we should put the blame where it belongs, on Microsoft Windows which invented the terrible idea of recognizing executable files by their names, rather than by their contents as every sensible system does.

PattiM May 19, 2023 2:59 PM

I’ve been around since before MS – it’s amazing to me that they’ve maintained the art of quite bad security for so many decades – while making people think they’re a good idea (as in, good at what they’re doing/selling).

David Leppik May 19, 2023 3:50 PM

MS Windows inherited that from MS-DOS, which inherited it from CP/M, which inherited it from mainframes. At which point you’re talking about what makes sense for a punchcard-based system, where the tradeoffs are totally different from a global, internet-connected world.

Classic MacOS had a metadata fork for every file built into the filesystem. Problem is, that causes problems when you transfer files to and from non-metadata filesystems. They abandoned it when they replaced Classic with OpenSTEP.

Jim May 20, 2023 5:41 AM

Like often, its kinda blown out of proportion. As well as the whole “Windows identifies executables by extension” which people cry so much about. No that itself is not the issue, the issue is people want comfort. And you can only take so much of that away, until they stop using your product.
There is reasons linux is still a niche product on desktops. It lacks comfort.

lurker May 24, 2023 8:10 PM

If only crims will benefit from these TLDs, then who will benefit from G’s trick of “Look, No Password, your device is your access token”?

Do No Evil must have been only a marketing slogan, not a mission statement.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.