from Hacker News

The .zip TLD sucks

by me_again on 5/12/23, 6:38 PM with 318 comments

by ilikepi on 5/12/23, 6:46 PM
Earlier discussion on Google's announcement: https://news.ycombinator.com/item?id=35917362
by SimonPStevens on 5/12/23, 7:17 PM
Not sure it matters that much.
Most non-technical people I know wouldn't have a clue what a .zip was. Windows has hidden file extensions by default now for decades. And having a phishing link in an email that says something.zip but links to somethingelse.com is a basic scammer 101 level technique. Why would it matter if the .zip was a real part of the URL or not.
Don't get me wrong, I dislike all of the generic TLDs, and the registration process behind them. But of all the points to argue on them, this seems like the weakest and least relevant.
by mholt on 5/12/23, 7:48 PM
Hey mom, here's the photos from our last family get-together: familyphotos.zip
(go ahead, click it)
Depending on platform, this is even more fun with command lines with commands like: `open familyphotos.zip`
But the point is, unless you are technically skilled, you probably can't tell whether you're about to go to a trusted file or download something random.
Depending on the context you would probably expect to be taken to a local file on the disk, you would never think this would download something new unless you were already in a context to do so.
Note that Google is also doing this for .mov. Both are file formats which can execute code (zip and mov both have exploits).
These TLDs should at least be removed from the PSL.
Edit: Here's a PoC screenshot: https://twitter.com/mholt6/status/1657133439546695680
by jbverschoor on 5/12/23, 7:14 PM
Well, there's also .com which was confusing for me as a 12 year old thinking it had something to do with a .COM executable, and nobody could explain what it meant.
I hereby want the .exe, .arj, and .rar TLD :-)
by eganist on 5/12/23, 7:16 PM
For those having a hard time fathoming it, here's a rather simple attack case:
someone types "product.zip" into the address bar thinking the browser will automatically google it because of course it's not a valid domain name
but it turns out product.zip is a valid domain name, and it masquerades either as the product's webpage or as a delivery vector for other payloads.
---
I've mistyped search terms with periods in them and seen the browser try to route me to an invalid domain, so this isn't beyond the realm of reason.
---
edit: xsmasher below came up with a much more obvious attack case that deserves a read.
by psacawa on 5/12/23, 7:53 PM
A phishing strategy this enables: confusing the https:// URI scheme with the file:// pseudo-URI scheme.
For example, we receive a phishing email which reads "This is the bank with your financial statement attached. It's a password protected zip file encrypted with your online banking credentials for security." We click to download and end up at https://financialstatement.zip, where a JS prompt asks us for the decryption password. We think we're interacting with the file system and get owned.
Crucially, i) some browsers don't display the URI scheme in the address bar, and ii) people are used to the idea of a password-protected zip file, and iii) people are used to opening files with their browser.
by avalys on 5/12/23, 7:07 PM
They occupy such different parts of my conceptual headspace that it never occurred to me that filename extensions could be confused with TLDs, or vice-versa.
But clearly, this is a problem!
Why is Google actually doing this? Presumably they have some motivation other than making a small profit on registration fees. What’s their angle here?
by biofunsf on 5/12/23, 10:10 PM
This page is 90% an inflammatory rant again Google. Why does it matter who owns .zip? These domains can be abused no matter what. This page is almost actively harmful to the cause by making it seem like the entire motivation is just being anti-Google.
edit: I found Google's application to ICANN for the .zip gTLD. Abuse is mentioned a bunch but it seems pretty boiler plate. I don't yet see anything acknowledging the risk of .zip domains in particular: https://gtldresult.icann.org/applicationstatus/applicationde... (pointing out something lacking in Google's .zip gTLD application seems a stronger footing for getting ICANN to take action)
by growthwtf on 5/12/23, 7:10 PM
Yeah wow this is actually pretty bad. Right now I can go buy:
- wellsfargo.zip
- bankinfo.zip
- irs.zip
- email.zip
- taxreturns.zip
Which — in one sense it's great that there's some new domain names. On the other hand these 5 alone would be a total phishing nightmare for some unsuspecting people.
by yafbum on 5/12/23, 7:21 PM
It's a dumb TLD for sure, but can someone explain what the security problem is? Is there a segment of users who'd be confused enough not to see the difference between a URL and a file name, but smart enough to be able to make that distinction if only the .zip TLD didn't exist?
by renewiltord on 5/12/23, 7:37 PM
IMHO the real problem was having domains go backwards in most-significant to least-significant.
```
    subdomain.domain.tld/root/to/sub/path
```
That goes inwards-out. If we had started with
```
    tld.domain.subdomain/root/to/sub/path
```
it all goes from top-level to bottom.
Therefore I propose we fix nothing until we deal with this.
by gjsman-1000 on 5/12/23, 7:15 PM
> The people who care are asleep at the wheel at best, some aren't with us anymore, and ICANN has failed all of us by allowing this to happen.
I think ICANN has increasingly become a failure, in several ways.
- Constant questionable TLD approvals (did the world really need more than the basic five? It's a scammer's dream!)
- IANA mismanaging IPv4 assignment, giving 16.7 million addresses to people who didn't need them at the beginning (like, Apple, who is comfortably sitting on every address starting with 17, or Ford, with every address starting with 19). Causing, of course, IPv4 address auctions...
- The whole .org domain sale fiasco to a private equity firm
- The contracts with VeriSign for .com management and price increases there for no particular reason
- Approving the .sucks domain, in what was widely criticized for having no public value other than to humiliate and extort corporations and individuals
- Giving the .amazon TLD to the company, instead of the Amazon Cooperation Treaty Organization (ACTO) which is comprised of countries involved in the actual Amazon rainforest after a years-long battle
And so forth...
by arsome on 5/12/23, 7:23 PM
By this (ridiculous) standard, DOS com executables make ".com" the worst offender. Or how about shell scripts and ".sh"?
by yeldarb on 5/12/23, 7:22 PM
The worst would be a .js TLD; everyone looking for web frameworks like `angular.js` would end up on a website (that probably is not affiliated with that tool) instead of a search result page. Would make it incredibly easy to trick people into installing malicious dependencies.
by woodruffw on 5/12/23, 7:16 PM
This is more or less how I felt when typing `subprocess.run` into the omnibar and discovering that `.run` is now a valid gTLD.
by benatkin on 5/12/23, 7:15 PM
I disagree after seeing what happened with .dev. I myself was concerned about it but it turned out to be fine. This will be the same.
by 8organicbits on 5/12/23, 8:10 PM
What's the legitimate reason we need a .zip TLD?
Namecheap says:
> Why choose a .ZIP domain?
> Build your brand fast with a .zip. The .zip top-level domain (TLD) is the perfect fit for organizations specializing in file sharing, storage, and download technology, or for anyone offering speedy and efficient online service.
> Is a .ZIP domain extension right for me?
> Use your .zip TLD to showcase your expertise in the field of file compression software or impress your clients with turbo-charged customer service.
Really?
https://www.namecheap.com/domains/registration/gtld/zip/
by mavili on 5/12/23, 7:42 PM
Erm, clearly this person is angry lol. I sense that they must be an older person because they think about files being shown as links/underlined texts and therefore people will mistake a domain name to a file. I think today's systems and software are more user-friendly and most of the time links and file names are displayed differently enough for people to know which one is which.
Also as others have commented, those not so tech savvy would probably not know what .zip or .mov files are anyway, and therefore their first instinct will be that they're links to sites rather than the other way around.
by me_again on 5/12/23, 6:38 PM
Kind of an inflammatory page, but the .zip TLD doesn't seem like a great idea.
by varenc on 5/12/23, 9:34 PM
I feel like the core message on this page is really weakened by including a broader critique of Google. It shouldn't matter who owns the TLD.
Even if Google wasn’t the .zip owner, or if you don’t believe they’re an insidiously corrupting force, you can still agree that .zip domains are overly confusing and ripe for abuse and attacks. This argument stands on its own, and focusing on the Google aspect just muddles the issue. (Though I agree with some of the sentiment)
by grozzle on 5/12/23, 7:36 PM
Just today, I had a no-https warning from a .so site when I was trying to search for information about some linux library file.
libfooblah.so or something like that, i dare not post the actual name because of course it's gotta be something sketchy as a website.
by iforgotpassword on 5/12/23, 8:21 PM
Huh, I clicked on news.ycombinator.com the other day thinking I'd launch an MS-DOS application and ended up here. Have been stuck posting comments ever since.
by sn_master on 5/12/23, 7:29 PM
What's next? We'll have a .exe TLD? Even if the OS will prioritize local files, there's no guarantee all the 3rd party apps old and new will use the same rule.
by eli on 5/12/23, 7:20 PM
I get the concern at a high level, but it seems weird to not have any specific examples or a PoC.
Couldn't you already send someone an email or direct them to a webpage where the text "financialstatement.zip" is linked... anywhere?
by AviationAtom on 5/12/23, 8:10 PM
Fun read about the usage of CORP as the default domain for Windows Active Directory domains and the chaos that might have come had Microsoft not ponied up for the domain: https://krebsonsecurity.com/2020/02/dangerous-domain-corp-co...
by eterm on 5/12/23, 7:11 PM
Wouldn't it be easy for cloudflare and other ~~WHOIS~~ DNS providers to just not propagate the .zip domain?
Isn't it time to leverage what's left of the decentralisation of the web rather than beg google?
by jug on 5/12/23, 10:45 PM
I agree. This is pretty terrible because it even circumvents what has so far been assumed to be "safe" methods of reading e-mail -- by stripping them down to plain text. Even avoiding <a href="actual">fake</a> attacks won't help by showing "actual" because that will be the attack vector itself. Ugh!!
by diebeforei485 on 5/12/23, 8:41 PM
Some of the ccTLD's have gone way up in price (especially the .ai domain, which was around $20 but I cancelled when I saw it would cost nearly $150 to renew). To some extent this has also affected the popular .io domains.
I've instead gone with .dev for my personal domain. It was a bit annoying updating my email everywhere, but I'm a lot happier with this.
by NotYourLawyer on 5/12/23, 8:38 PM
> Throughout the 2010s, Google has easily been one of the most insidiously corrupting forces on the internet, rivaled by none. Its takeover of the modern web through utter domination of the search engine market, chokehold over web standards, and near complete monopolization of web browsers has rendered much of the world beholden to it.
Preach!
by armchairhacker on 5/12/23, 7:16 PM
Honestly it would be good to just patch browsers to keep interpreting .zip and other common file extensions as a search query (.com, .org, etc can stay)
You can argue that removing the .zip TLD is a better solution, but this one is immediately actionable (you control the browser)
by nfoz on 5/12/23, 7:13 PM
This is the deliberate reason why this TLD exists.
ICANN sold out the internet.
by hgs3 on 5/13/23, 2:43 AM
There is an excellent explanation on proggit [1] that describes an attack vector for .zip TLDs. More specifically, it explains how a trusted source might inadvertently link to a malicious file.
[1] https://reddit.com/r/programming/comments/13fsvl5/the_zip_tl...
by graiz on 5/12/23, 8:43 PM
On windows you can have a .com file as an attachment too. Should we ban .com sites? Is the issue that you can fool people to open a website rather than a file? I'm not sure I follow how a TLD makes that easier. Even if you didn't have a top level TLD a non-experienced user isn't going to be able to tell because they don't look at file extensions anyway, just change the FAV icon and you're set.
by jacobsenscott on 5/12/23, 9:40 PM
If you've been using .foo in your tests or whatever, that's on you. You shouldn't have a license to work on software that touches a network if you haven't seen https://www.rfc-editor.org/rfc/rfc2606
by dmcq2 on 5/12/23, 8:50 PM
They'd obviously hate me too! I've got directories called <name>.html which have an index.html in them which I use to have an equivalent to <name.pdf with all the image files and fonts included in them. But yes it does seem like troublemking to have a .zip directory that doesn't act like a zip file
by SoftTalker on 5/12/23, 8:41 PM
The original mistake was tieing filename "extensions" to content.
A ".zip" is just four characters at the end of the filename. It conventionally means it's a ZIP compressed file, but it could contain anything.
Same with any other filename, .pdf, .doc, .wav, .jpg, etc. They are conventions but that's all they are.
by gambiting on 5/12/23, 7:25 PM
I mean, that was a good rant, except I still don't understand why this is a problem
by WirelessGigabit on 5/12/23, 9:12 PM
This reminds me of when eBay had '.dll' in their URL and our overzealous webfilter thought we were downloading a '.dll' versus trying to win the bid on that highly coveted Pokemon card.
by arlattimore on 5/12/23, 9:04 PM
When this TLD was announced, I was honestly shocked that someone suggested it and that it was approved - seems like such a daft idea to me to even entertain the idea of adding more confusion in this space.
by pimlottc on 5/12/23, 8:06 PM
Why is Google involved in something like this in the first place?
by trollian on 5/12/23, 9:05 PM
Standard PC executables end in .com, so we should probably get rid of that one too.
Maybe Poland should change its name so Perl programmers don't get confused.
by RektBoy on 5/12/23, 8:44 PM
Who cares anyway? Old people or young people, doesn't matter. Everyone WANTS to be scammed. Because they're scared too much, or they're greedy or they respect authorities too much.
Disable zip TLD and you left with like 100million ways how to scam people. What did you actually achieve?
by CPLX on 5/12/23, 7:25 PM
I mean if you're old then there was a time when .com was the most common file extension at all.
by andrewstuart on 5/12/23, 8:17 PM
It’s a weird tld given that zip files are a key malware and hacking vector.
by dheera on 5/12/23, 7:45 PM
Oh this is an awesome TLD. If I want to share a file with friends I should just share it as https://somefile.myname.zip
by mgaunard on 5/12/23, 9:16 PM
.com is also a valid file extension. Just learn to parse a URI.
by ipaddr on 5/12/23, 9:07 PM
Can't wait for the .exe extention or the null extension .
by jamespo on 5/12/23, 7:18 PM
Ah well, .*\.zip$ added to pi-holes regex blacklist
by foul on 5/12/23, 7:33 PM
Probably the final aim from which this nerdy offer arise is to pollute the URL bar
by yieldcrv on 5/12/23, 7:38 PM
Have we ever seen tld’s revoked or cease having registration possibility?
by bandyaboot on 5/12/23, 8:16 PM
There is only one correct solution to this. It's to completely remove any and all of these egregious filename extension TLDs with no questions asked, and punish the people who pushed for this.
I’m really curious to know what this person has in mind.
by fareesh on 5/12/23, 8:22 PM
Same argument could be made for .com
Speaking of which, who owns command.com ?
by dools on 5/12/23, 10:58 PM
I don’t see what additional attacks this enables.
by syngrog66 on 5/12/23, 8:27 PM
about as wise as having ".EXE" as a TLD
by swyx on 5/12/23, 7:14 PM
cosign. come on Google, this is obviously confusing and frustrating for everybody. the money cannot mean that much to you.
by frou_dh on 5/12/23, 7:19 PM
If you're looking for things to be OUTRAGED about then you'll find them.
by pierat on 5/12/23, 7:24 PM
Eh, not really. It's all a mistake how we *interpret* domain names.
From https://www.rfc-editor.org/rfc/rfc1034 3.6.1 , we see
----------------------
```
     For example, we might show the RRs carried in a message as:

     ISI.EDU.        MX      10 VENERA.ISI.EDU.
                     MX      10 VAXA.ISI.EDU.
     VENERA.ISI.EDU. A       128.9.0.32
                     A       10.1.0.52
     VAXA.ISI.EDU.   A       10.2.0.27
                     A       128.9.0.33
```
----------------------
Notice it's not ISI.EDU , but it's ISI.EDU. for an absolute fully-qualified domain name.
You can also notice weirdnesses here when you go to https://news.ycombinator.com. (copy and paste with period), like you're not logged in due to cookies not sharing.
But requiring absolute FQDN's would solve this https://financialstatement.zip -> https://financialstatement.zip. and remove the ambiguity.