Most non-technical people I know wouldn't have a clue what a .zip was. Windows has hidden file extensions by default now for decades. And having a phishing link in an email that says something.zip but links to somethingelse.com is a basic scammer 101 level technique. Why would it matter if the .zip was a real part of the URL or not.
Don't get me wrong, I dislike all of the generic TLDs, and the registration process behind them. But of all the points to argue on them, this seems like the weakest and least relevant.
perhaps i am getting mussed up by the definition of "non-technical people" but i've worked directly with many, many non-technical people over many years who definitely knew what a zip file was and what it was for. they might not all have necessarily known how to _create_ a zip file, and sure i had to coach/train a few here and there who legitimately didn't have a clue, but i think if you're talking about anyone who has used a computer for a large-ish piece of their work (whether it is "technical" work or not) in the last 10 years or so, the chance of them having more than no clue about what a zip file is, is higher than you think it is.
i can think of multiple instances each of accountants, graphics/media/designer folks, scriptwriters, admin/executive assistants, chauffeurs, playwrights, stagehands, light/rope riggers, costume designers/tailors, HR folks, security guards, painters, writers etc who have had to deal with .zips.
would a 20-years-exp industrial lathe engineer/specialist know what to do with a zip? maybe? maybe not? depends if they like to mess around with computers after hours or does their company distribute work orders via email? if so, maybe they've dealt with a zip.
if a "non-technical person" is someone who doesn't use a computer very much, then yeah, i'm with you. i personally wouldn't consider a junior graphic designer to be "technical" but i'd bet you all the money in my wallet that 95/100 of junior graphic designers know what to do with a .zip file.
BTW everything else you said, i 100% agree.
Are you kidding? That guy has to convert his files to binary, put them on a USB drive, carry them to SunOS server, plug them in, and type something in a command line to send the binary over Serial to his CNC machine.
Industrial equipment isn't EOL at 30 years, it's "lightly used." You'd be floored at how much "ancient" tech knowledge is required to operate it.
Those who are old enough to remember when files had extensions might know. Those who work with a file system daily know. In both cases we are talking about extreme minorities now.
Think of your 80 year old granny, or the guy down the road who’s never owned a computer.
Maybe you don’t have many in your circle but they are everywhere.
While an OS may hide extensions, not everything does. Notably, gmail shows the file extension for attachments.
See: people calling any animated image a gif, even though many are apng or webp
I've seen my aging father change settings on a new computer to turn on showing file extensions on Windows, because he and a lot of older users were on the cutting edge of computing back when knowing the file extension was useful for choosing how to open it.
Sure, I'm acutely aware that there are stupid users out there; I've worked I.T. But there is also a whole spectrum of computer users with varying levels of computer proficiency out there, who us "computer people" don't see because they're not the ones who necessarily need help or cause problems. You can't necessarily extrapolate a visible minority of incompetent computer users to make statements about the entire population.
I don't necessarily have an opinion on whether that's enough justification to get rid of the .zip TLD. I'm just tired of the anti-user sentiment I'm hearing here.
See also: “Why does the Save icon look like that?” Most computer users these days have never in their life seen a floppy drive, but they still recognize it as the save icon.
as you point out, a .exe hiding behind a .zip is a problem caused by hiding extensions. and if we still lived in the 16bit DOS/Windows world, btw, MICROSOFT.COM would be a super problematic thing to click "especially-whether" the "extension" is shown or not (in 16 bit MSDOS, .COM is just as much a .EXE as .EXE is)
I'm just writing to extend your thought to the hiding of http:// and also www.
That's what introduces these problems, not a .ZIP tld, and I suspect/know it's the same people with this same type of thinking (whackamole problem solving) who think hiding http:// is a good idea (thereby causing the problem) and then suggest to fix any problems with more regulatory agencies to control what TLDs get created, what words we're allowed to use where, etc. (thereby causing new problems)
I'm not saying computer people "know better" and therefore invent systems that are tolerable to normies, I'm just saying I can't stand when normies are in charge of things that matter to me.
Indeed, a bunch of system binaries are themselves like that for historical reasons - CHCP.COM, FORMAT.COM, MORE.COM etc - because they originally had such names long ago in DOS, and someone somewhere might have a batch file that includes the extension.
A responsible OS should help educate and empower their users. Windows just want them to stay where they are, use Office and only install programs from their official store.
It's worse than phishing, because it could be a legitimate email from someone you trust.
(Overall, I mostly agree that the issues are ultimately somewhat minimal... but this is a situation where there's absolutely no upside and only downside.)
> Windows has hidden file extensions by default now for decades.
Thankfully this is easy to turn off. I hate it, and it makes me mad for a few seconds each time I get a new machine/OS install.
> Windows has hidden file extensions by default now for decades.
It amazes me that they won't stop doing this. The security problems around it are enormous, not to mention that it causes a lot of confusion that isn't easily resolved by non-technical people.
So the question is: is there another convincing reason for allowing this TLD on an internet level?
And what would you think about a .pdf or .docx TLD?
Or why even require a fixed extension given that it's a recursive system anyway.
1. Local DNS resolution. Bare (non-gTLD) DNS names are common in business networks, and although the expansion of the existing gTLD set complicates that, opening it wide can have unintended resolution impacts for these networks.
2. Browsers enforce security boundaries based on the origin of a site, and doing this is complex due to things like .co.uk. A naive implementation would grant all .co.uk domains into a single origin. The problem comes into play when looking at local DNS names. Without a known gTLD on the end of the DNS name, the browser assumes the root of the origin is the hostname itself. That is, given a locally resolvable http://bar and a locally resolvable http://foo.bar, both sites can communicate without restriction with respect to the Same Origin Policy. If we were to make gTLDs arbitrary, we'd have to break that behavior which could break a lot of intranet applications.
Most non-technical people in the 40+ age range that I know are well aware what .zip was and still is.
Please don't consider your circle of peers in their 20s as a representative sample of society.
And hopefully they are told that they might be risky.
Though, I think the solution here is for apps to stop doing that.
- wellsfargo.zip
- bankinfo.zip
- irs.zip
- email.zip
- taxreturns.zip
Which — in one sense it's great that there's some new domain names. On the other hand these 5 alone would be a total phishing nightmare for some unsuspecting people.
Such names appear to be much more plausible attack vectors because they will trap people trying to open files. If I found a cheap common one I was going to buy it just to see what kind of traffic it got, but everything interesting was a few hundred dollars and up.
that makes sense and is pretty good because otherwise people could very easily have bought out every decent domain.
For example, i have nabbed modpack.zip, ultimately however i dont see many scenarios where someone would make money from someone's technical inexperience being manipulated with this simple domain. But i feel slightly driven to keep it from the wrong hands. Plus that domain is really easy to remember which is great.
If you expect a host name and you end up clicking a file instead, that seems dangerous.
But in this case, you expect to open a file and you visit a website instead? That sounds simply annoying…
Maybe this is for browsers to deal with - if there is a collision between TLD and (file extension on this system) throw up a warning?
Do you think computer users always think that's the case? I tend to come down on the side of "no, probably not" but open to other arguments.
https://newgtlds.icann.org/en/about/trademark-clearinghouse/...
(Apologies to the good folk of Cameroon.)
As many other people have said, does anyone confuse C:\command.com and http://command.com? I doubt it.
Looks like it will take you to a zip file, but won't. hovering over the link looks legit enough. I just don't think it buys you that much. /shrug
I dunno that doesn't sound much worse than wellsfargo.info to me.
Really trying to understand this, I hope I don't come across as snarky or naïve.
We are slowly chipping away at defense in depth all in the name of convenience.
I could see that getting under a few people's radars, but it's not much more menacing than existing fishing tricks with lookalike urls.
(go ahead, click it)
Depending on platform, this is even more fun with command lines with commands like: `open familyphotos.zip`
But the point is, unless you are technically skilled, you probably can't tell whether you're about to go to a trusted file or download something random.
Depending on the context you would probably expect to be taken to a local file on the disk, you would never think this would download something new unless you were already in a context to do so.
Note that Google is also doing this for .mov. Both are file formats which can execute code (zip and mov both have exploits).
These TLDs should at least be removed from the PSL.
Edit: Here's a PoC screenshot: https://twitter.com/mholt6/status/1657133439546695680
There's also some that are less commonly encountered by non-tech people, but still fairly common in the tech world (depending on the person of course): .sh, .rs, .cab, .java, .py, .org, .pl, .pm, .target, .pub
That's just from a quick check from what I recognized from memory; I didn't feel like writing the code to also print out the MIME type and description and there may be more. Here's a full list of conflicts I generated from my /usr/share/mime/globs and the TLD list from ICANN, 74 conflicts in total: https://gist.github.com/arp242/ca24b58eaf37184b03e626c8e4093...
Is .zip more common? No doubt, so it does become worse, but this confusion already exists, and will no doubt grow in the future with further proliferation of tlds and file extensions.
Basically, we should probably do something about this regardless, although I'm not entirely sure what.
Of course we all know what will really happen is Google will continue to use Chrome to obfuscate the way the internet works and all of the big tech companies will sell "solutions" to the problems they're causing. Most people will end up completely dependent on Google's Advanced Protection Program, Microsoft's SmartScreen Filter, etc..
The `open` command on macOS doesn’t open websites if no schema is specified. At best (worst?) it makes a suggestion:
$ open google.com
The file /private/tmp/google.com does not exist.
Perhaps you meant 'http://google.com'?
$ open familyphotos.zip
The file /private/tmp/familyphotos.zip does not exist.Did you and the GP just invent a new kind of phishing? Lmao. Go grab bitcoin-wallet.zip and start emailing people.
Hi. Here's the cold wallet with the $5 million you requested. The password is 'password'.
Do NOT open the previous email. It was sent to you by accident. You are NOT authorized to view it. DELETE IT NOW!
And most applications (even some browsers) will even helpfully strip out the "ugly https" in front too, and make it clickable. :)
Under what circumstances would a link you click on a website or an email _ever_ be a trusted file?
> I've attached familyphotos.zip -- here you go!
The email client will presumably have a link below called familyphotos.zip, but the email client ALSO link-ified the text familyphotos.zip to download the content at https://familyphotos.zip, which is untrusted but you don't realize it doesn't go to the same familyphotos.zip file.
Screenshot: https://twitter.com/mholt6/status/1657133439546695680
Update: Turns out it just contains what_happened.txt, a copy of which is below. Thanks anonymous person!
```
"Hey, this isn't family pictures!"
You're right -- and that link you clicked wasn't a file attached to the email or message you received.
Thanks to Google[0][1], now it's impossible to discern the difference between a link to an attachment called "familyphotos.zip" and a link to this file... unless you are able to inspect the destination of a link before clicking it. Most software and apps don't allow that, and most people don't know how to tell the difference anyway.
Have fun in the Wild Wild Web!
[0]: https://www.blog.google/products/registry/8-new-top-level-do... [1]: https://twitter.com/Google/status/1653866291692728320
```
Don't worry. Google will offer enhanced protection to keep your account from being phished and hijacked. How convenient.
I hereby want the .exe, .arj, and .rar TLD :-)
For jpeg, that would be a terms of service agreement? Or would the TLD manage all hosting?
Imagine every file extension was a domain. Imagine all the public files of the world existing on the internet at their very own URL. It’s like the internet was just one massive directory of files.
Now wouldn’t that be amazing?
URL prefixes were supposed to resolve this ambiguity (file:// vs. http[s]://), but I guess people got tired of saying "aych-tee-tee-pee-colon-slash-slash..." :-)
gTLDs can and should be held to a higher standard.
.exe to host web-assembly content?
someone types "product.zip" into the address bar thinking the browser will automatically google it because of course it's not a valid domain name
but it turns out product.zip is a valid domain name, and it masquerades either as the product's webpage or as a delivery vector for other payloads.
---
I've mistyped search terms with periods in them and seen the browser try to route me to an invalid domain, so this isn't beyond the realm of reason.
---
edit: xsmasher below came up with a much more obvious attack case that deserves a read.
What you think is an attachment from a trusted source is actually a link to the web.
Your boss sends you this plaintext email:
Hi!
Please upload the photos as photos.zip to the company GDrive!
Thanks,
Boss
For a technical professional, I fight with the behavior of my web browser's address bar far more often than I really think I should. Maybe the average person would be far better served if the browser only assumed you meant a URL if you explicitly included a scheme, and otherwise just did a search.
If you were looking for a zip and knew with good chance it's on the internet, why not?
Googling for "product.zip" makes no sense. Unless it's an actual website.
What percentage of the population is tech-illiterate?
maybe a single-digit percentage of HN, but the vast majority of the world even today can't find the control panel on Windows. And anecdata from school systems suggests that consumption-focused devices are regressing the next generation of users such that millenials and early gen-z are probably the peak of tech-literacy.
Nobody used .test, .example, or .home.arpa
B) Being a good domain name for development - mysite.localhost turned out to be better.
.test is a bit more flexible, and what I use now. I'd prefer if .dev was reserved as well, but that ship has sailed.
From https://www.rfc-editor.org/rfc/rfc1034 3.6.1 , we see
----------------------
For example, we might show the RRs carried in a message as:
ISI.EDU. MX 10 VENERA.ISI.EDU.
MX 10 VAXA.ISI.EDU.
VENERA.ISI.EDU. A 128.9.0.32
A 10.1.0.52
VAXA.ISI.EDU. A 10.2.0.27
A 128.9.0.33
Notice it's not ISI.EDU , but it's ISI.EDU. for an absolute fully-qualified domain name.
You can also notice weirdnesses here when you go to https://news.ycombinator.com. (copy and paste with period), like you're not logged in due to cookies not sharing.
But requiring absolute FQDN's would solve this https://financialstatement.zip -> https://financialstatement.zip. and remove the ambiguity.
The "." at the end also serves another level of defense. When you provide a URL without a . at the end, I can append .someotherdomain.com. and redirect traffic. And I've seen that in the wild before.
And the difference between "pedantic" and "technically correct" is how you get hacked. But feel free to throw insults. I know one of us is right, and it aint you.
No one (within a rounding error of 0%) will change how they enter, use, or program systems to work with, URLs to use the FQDN. The incompatibility nightmare it would cause would be insurmountable.
So I don’t think pointing out the technicality of how a domain name is supposed to be represented really helps in this context.
This document clearly says that the dotless form is perfectly acceptable and even expected.
Take for example this snippet:
Relative names are either taken relative to a well known origin, or to a
list of domains used as a search list. Relative names appear mostly at
the user interface, where their interpretation varies from
implementation to implementation, and in master files, where they are
relative to a single origin domain name. The most common interpretation
uses the root "." as either the single origin or as one of the members
of the search list, so a multi-label relative name is often one where
the trailing dot has been omitted to save typing.
So yes, the dotless notation comes down to own we interpret domain names. However that interpretation is not a mistake, it is expected.
But clearly, this is a problem!
Why is Google actually doing this? Presumably they have some motivation other than making a small profit on registration fees. What’s their angle here?
Isn't it time to leverage what's left of the decentralisation of the web rather than beg google?
That's probably worse than the alternative: I don't think we want a world where the person in accounting can resolve hxxps://financialstatement.zip and the person triaging it in IT can't.
It's even free if you use the free forever VPS server Oracle will give you. The uplink being limited to 50mbps isn't an issue for DNS (and similar lightweight protocols).
I'd recommend putting the DNS behind a secret subdirectory though, because my server accidentally got added to a DNS server list and a small country started querying mine at about 30k per second
I think ICANN has increasingly become a failure, in several ways.
- Constant questionable TLD approvals (did the world really need more than the basic five? It's a scammer's dream!)
- IANA mismanaging IPv4 assignment, giving 16.7 million addresses to people who didn't need them at the beginning (like, Apple, who is comfortably sitting on every address starting with 17, or Ford, with every address starting with 19). Causing, of course, IPv4 address auctions...
- The whole .org domain sale fiasco to a private equity firm
- The contracts with VeriSign for .com management and price increases there for no particular reason
- Approving the .sucks domain, in what was widely criticized for having no public value other than to humiliate and extort corporations and individuals
- Giving the .amazon TLD to the company, instead of the Amazon Cooperation Treaty Organization (ACTO) which is comprised of countries involved in the actual Amazon rainforest after a years-long battle
And so forth...
The US government could step in and demand that the big HODL'ers of not actively used IP space release it back to IANA. It's even worse than Nestle and others hogging onto extremely old water rights because Nestle at least makes something that people can drink...
Our governments are sitting and idling around while valuable resources - IP addresses, water, food, whatever - get ever more and more scarce as large chunks are held hostage by private companies.
Only because of domain squatters...
For example, we receive a phishing email which reads "This is the bank with your financial statement attached. It's a password protected zip file encrypted with your online banking credentials for security." We click to download and end up at https://financialstatement.zip, where a JS prompt asks us for the decryption password. We think we're interacting with the file system and get owned.
Crucially, i) some browsers don't display the URI scheme in the address bar, and ii) people are used to the idea of a password-protected zip file, and iii) people are used to opening files with their browser.
<a href="https://anydomainname.com/">financialstatement.zip</a>
If it's an HTML email, you could potentially fake the attachment area with or without a .zip TLD, just by adding a carefully constructed image.
[0] https://newgtlds.icann.org/en/applicants/global-support/faqs...
(It's not Google's or IANA's or whoever's responsibility to fix a namespacing problem here, but it's also maybe not ideal that less-technical users are funneled into a single "omnibar" interface for both searching and domain resolution.)
Namecheap says:
> Why choose a .ZIP domain?
> Build your brand fast with a .zip. The .zip top-level domain (TLD) is the perfect fit for organizations specializing in file sharing, storage, and download technology, or for anyone offering speedy and efficient online service.
> Is a .ZIP domain extension right for me?
> Use your .zip TLD to showcase your expertise in the field of file compression software or impress your clients with turbo-charged customer service.
Really?
ICANN sold out the internet.
It's eye-opening to read about, for example, the stated geopolitical goals of the United States, who like every nation-state seeks total invulnerability, which in turn requires total dominance. Individuals aren't used to thinking in these terms - its extremely unsentimental and matter-of-fact game theory stuff that will curdle milk.
TBH I'm guessing. I don't really see how expansion of tlds helps Google with this goal - maybe they just want more namespace to control as a registar? That doesn't make sense. Hopefully I've nerd-sniped someone who knows more.
Probably something fresh and some PR for their Google Domains department or etc.
I’m really curious to know what this person has in mind.
Speaking of which, who owns command.com ?
subdomain.domain.tld/root/to/sub/path
tld.domain.subdomain/root/to/sub/path
Therefore I propose we fix nothing until we deal with this.
Face it, it's legacy, and just like QWERTY, it's never going to be fixed.
I see TV ads where the narrator just says "Search for $BRAND_NAME" expecting you to google it, AOL keywords all over again.
.exe is so s.exy
I've instead gone with .dev for my personal domain. It was a bit annoying updating my email everywhere, but I'm a lot happier with this.
Unless you're migrating soon, you are always going to be citizen of that country.
Preach!
That might because I don't think Google is evil (I'm biased because I used to work there), but I think even if I did, a dispassionate description of the problem would be as or more persuasive.
edit: I found Google's application to ICANN for the .zip gTLD. Abuse is mentioned a bunch but it seems pretty boiler plate. I don't yet see anything acknowledging the risk of .zip domains in particular: https://gtldresult.icann.org/applicationstatus/applicationde... (pointing out something lacking in Google's .zip gTLD application seems a stronger footing for getting ICANN to take action)
Also as others have commented, those not so tech savvy would probably not know what .zip or .mov files are anyway, and therefore their first instinct will be that they're links to sites rather than the other way around.
Even if Google wasn’t the .zip owner, or if you don’t believe they’re an insidiously corrupting force, you can still agree that .zip domains are overly confusing and ripe for abuse and attacks. This argument stands on its own, and focusing on the Google aspect just muddles the issue. (Though I agree with some of the sentiment)
libfooblah.so or something like that, i dare not post the actual name because of course it's gotta be something sketchy as a website.
Couldn't you already send someone an email or direct them to a webpage where the text "financialstatement.zip" is linked... anywhere?
You can argue that removing the .zip TLD is a better solution, but this one is immediately actionable (you control the browser)
[1] https://reddit.com/r/programming/comments/13fsvl5/the_zip_tl...
A ".zip" is just four characters at the end of the filename. It conventionally means it's a ZIP compressed file, but it could contain anything.
Same with any other filename, .pdf, .doc, .wav, .jpg, etc. They are conventions but that's all they are.
Maybe Poland should change its name so Perl programmers don't get confused.
Disable zip TLD and you left with like 100million ways how to scam people. What did you actually achieve?