Originally published at: Google's .zip Provides Another Reason to Beware of Wacky Top-Level Domains - TidBITS
Google’s new .zip top-level domain has raised concerns from the security community due to the ease with which it enables ambiguous URLs that could be used in phishing attacks.
1 Like
Wow. This definitely qualifies for the “What Were They Thinking?” award for 2023. Anyone with the slightest awareness of digital security would instantly see how a TLD that matches a common file extension is a bad idea. That Google pushed this through shows how little concern their decision-makers have for security.
3 Likes
The part that looks odd to me is the “github“ starting with a dot. I don’t see any mention of that. I’m not familiar with how that operates.
Anyway, I’ve been warning about Unicode in DNS for years. What if people can register “goօgle.com”? Can you tell that one of the letters is really the ”o” from the Armenian alphabet?
It does seem that Namecheap is now disallowing that ambiguity, fortunately. But I’m not sure the rest of the Net has closed those loopholes. Maybe they will also close the one raised here.
https://www.namecheap.com/domains/registration/results/?domain=go%D6%85%67le.com
1 Like
FWIW, my Mac running Firefox can (at least with the font configured for Arial) :
But I get your point. I’ve seen many examples that are virtually impossible to figure out by eye.
2 Likes
Yep, the glyphs are highly subjective, but Unicode has tons of similar looking characters, and it would be easy to find many renderings that are nearly indistinguishable using default settings. It’s a massive potential problem.
This is one of the best reasons for using a password manager like 1Password. You don’t enter your password because you visually trust the domain name that you see: you let 1P populate it for you based on its character-by-character analysis of the domain presented. You can’t trust your eyes. Trust the software.
1 Like
It is, although steps have been taken to reduce the problem by displaying the Punycode¹ associated with the domain. For example, all three browsers I have handy (Safari, Chrome, and Firefox) and Thunderbird display the goօgle.com link as http://xn--gogle-mkg.com/ when hovering over it. The browsers also display the Punycode URL when pasting goօgle.com.
It does require someone actually look at the URL the browser shows in the URL bar, so it’s far from a perfect solution, but at least it’s a tool available.
¹ It’s recommended to only use ASCII domain names. Punycode is a way to encode Unicode characters in ASCII for use in domain names.
Apple Mail (on Big Sur) also displays the Punycode on hover. I just tested it on that link.
On Firefox (not sure about the others), there’s an internal configuration option so it only shows punycode in the address bar. I have this turned on for all my browsers.
Hmm, in retrospect, perhaps I should modify this claim. Namecheap shows that my “funky google.com” is “taken”. I assumed that meant they were coalescing the Unicode characters back to basic ASCII; but I might be wrong. It could be that Google took the initiative (and expense) of finding all the possible impersonation permutations and bought them up, so that they are truly “taken”.
And there are many permutations :-) I just tried “googIe.com”, and you can see that someone is already playing that game.
That would be an interesting research project to investigate.
I wonder if the Google Domains .zip decision stemmed from a lack of attention due to being shut down and sold off.