Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

Google’s .zip Provides Another Reason to Beware of Wacky Top-Level Domains

At Medium, Bobbyr writes:

Google launched a new TLD or “Top Level Domain” of .zip, meaning you can now purchase a .zip domain, similar to a .com or .org domain for only a few dollars. The security community immediately raised flags about the potential dangers of this TLD. In this short write-up, we’ll cover how an attacker can leverage this TLD, in combination with the @ operator and unicode character ∕ (U+2215) to create an extremely convincing phish.

The .zip top-level domain is a terrible idea from a security perspective, and we can only hope that saner heads keep .jpg, .gif, .pdf, and .exe out of the complete list of top-level domains. Amusingly, Michael Tsai points out that the .zip proposal originally referred to Iomega’s now-defunct Zip drives. Sadly, it wasn’t denied like .floppy and .betamax.

Google .zip top-level domain

More generally, when I’m scrubbing spambot-created accounts from my WordPress setup, every email address ending in a wacky top-level domain is bogus. The moral of the story is that if you must register an unusual top-level domain for a Web project, don’t also use it for email.

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Google’s .zip Provides Another Reason to Beware of Wacky Top-Level Domains

Notable Replies

  1. Wow. This definitely qualifies for the “What Were They Thinking?” award for 2023. Anyone with the slightest awareness of digital security would instantly see how a TLD that matches a common file extension is a bad idea. That Google pushed this through shows how little concern their decision-makers have for security.

  2. The part that looks odd to me is the “github“ starting with a dot. I don’t see any mention of that. I’m not familiar with how that operates.

    Anyway, I’ve been warning about Unicode in DNS for years. What if people can register “goօ”? Can you tell that one of the letters is really the ”o” from the Armenian alphabet?

    It does seem that Namecheap is now disallowing that ambiguity, fortunately. But I’m not sure the rest of the Net has closed those loopholes. Maybe they will also close the one raised here.

  3. FWIW, my Mac running Firefox can (at least with the font configured for Arial) :

    But I get your point. I’ve seen many examples that are virtually impossible to figure out by eye.

  4. Yep, the glyphs are highly subjective, but Unicode has tons of similar looking characters, and it would be easy to find many renderings that are nearly indistinguishable using default settings. It’s a massive potential problem.

    This is one of the best reasons for using a password manager like 1Password. You don’t enter your password because you visually trust the domain name that you see: you let 1P populate it for you based on its character-by-character analysis of the domain presented. You can’t trust your eyes. Trust the software.

  5. blm

    It is, although steps have been taken to reduce the problem by displaying the Punycode¹ associated with the domain. For example, all three browsers I have handy (Safari, Chrome, and Firefox) and Thunderbird display the goօ link as when hovering over it. The browsers also display the Punycode URL when pasting goօ

    It does require someone actually look at the URL the browser shows in the URL bar, so it’s far from a perfect solution, but at least it’s a tool available.

    ¹ It’s recommended to only use ASCII domain names. Punycode is a way to encode Unicode characters in ASCII for use in domain names.

  6. Apple Mail (on Big Sur) also displays the Punycode on hover. I just tested it on that link.

  7. On Firefox (not sure about the others), there’s an internal configuration option so it only shows punycode in the address bar. I have this turned on for all my browsers.

    Mozillazine: Network.IDN show punycode.

  8. Hmm, in retrospect, perhaps I should modify this claim. Namecheap shows that my “funky” is “taken”. I assumed that meant they were coalescing the Unicode characters back to basic ASCII; but I might be wrong. It could be that Google took the initiative (and expense) of finding all the possible impersonation permutations and bought them up, so that they are truly “taken”.

    And there are many permutations :-) I just tried “”, and you can see that someone is already playing that game.

    That would be an interesting research project to investigate.

Join the discussion in the TidBITS Discourse forum


Avatar for ace Avatar for dave1 Avatar for blm Avatar for Quantumpanda Avatar for Shamino