Google’s .zip Provides Another Reason to Beware of Wacky Top-Level Domains
At Medium, Bobbyr writes:
Google launched a new TLD or “Top Level Domain” of .zip, meaning you can now purchase a .zip domain, similar to a .com or .org domain for only a few dollars. The security community immediately raised flags about the potential dangers of this TLD. In this short write-up, we’ll cover how an attacker can leverage this TLD, in combination with the @ operator and unicode character ∕ (U+2215) to create an extremely convincing phish.
The .zip top-level domain is a terrible idea from a security perspective, and we can only hope that saner heads keep .jpg, .gif, .pdf, and .exe out of the complete list of top-level domains. Amusingly, Michael Tsai points out that the .zip proposal originally referred to Iomega’s now-defunct Zip drives. Sadly, it wasn’t denied like .floppy and .betamax.
More generally, when I’m scrubbing spambot-created accounts from my WordPress setup, every email address ending in a wacky top-level domain is bogus. The moral of the story is that if you must register an unusual top-level domain for a Web project, don’t also use it for email.
Wow. This definitely qualifies for the “What Were They Thinking?” award for 2023. Anyone with the slightest awareness of digital security would instantly see how a TLD that matches a common file extension is a bad idea. That Google pushed this through shows how little concern their decision-makers have for security.
The part that looks odd to me is the “github“ starting with a dot. I don’t see any mention of that. I’m not familiar with how that operates.
Anyway, I’ve been warning about Unicode in DNS for years. What if people can register “goօgle.com”? Can you tell that one of the letters is really the ”o” from the Armenian alphabet?
It does seem that Namecheap is now disallowing that ambiguity, fortunately. But I’m not sure the rest of the Net has closed those loopholes. Maybe they will also close the one raised here.
https://www.namecheap.com/domains/registration/results/?domain=go%D6%85%67le.com
FWIW, my Mac running Firefox can (at least with the font configured for Arial) :
But I get your point. I’ve seen many examples that are virtually impossible to figure out by eye.
Yep, the glyphs are highly subjective, but Unicode has tons of similar looking characters, and it would be easy to find many renderings that are nearly indistinguishable using default settings. It’s a massive potential problem.
This is one of the best reasons for using a password manager like 1Password. You don’t enter your password because you visually trust the domain name that you see: you let 1P populate it for you based on its character-by-character analysis of the domain presented. You can’t trust your eyes. Trust the software.
Btw, here’s how it looks in Safari on my Mac:
It is, although steps have been taken to reduce the problem by displaying the Punycode¹ associated with the domain. For example, all three browsers I have handy (Safari, Chrome, and Firefox) and Thunderbird display the
goÖ gle.com
link ashttp://xn--gogle-mkg.com/
when hovering over it. The browsers also display the Punycode URL when pastinggoÖ gle.com
.It does require someone actually look at the URL the browser shows in the URL bar, so it’s far from a perfect solution, but at least it’s a tool available.
¹ It’s recommended to only use ASCII domain names. Punycode is a way to encode Unicode characters in ASCII for use in domain names.
Apple Mail (on Big Sur) also displays the Punycode on hover. I just tested it on that link.
On Firefox (not sure about the others), there’s an internal configuration option so it only shows punycode in the address bar. I have this turned on for all my browsers.
Mozillazine: Network.IDN show punycode.
Hmm, in retrospect, perhaps I should modify this claim. Namecheap shows that my “funky google.com” is “taken”. I assumed that meant they were coalescing the Unicode characters back to basic ASCII; but I might be wrong. It could be that Google took the initiative (and expense) of finding all the possible impersonation permutations and bought them up, so that they are truly “taken”.
And there are many permutations :-) I just tried “googIe.com”, and you can see that someone is already playing that game.
That would be an interesting research project to investigate.
I wonder if the Google Domains .zip decision stemmed from a lack of attention due to being shut down and sold off.