Google's .zip Provides Another Reason to Beware of Wacky Top-Level Domains

Originally published at: Google's .zip Provides Another Reason to Beware of Wacky Top-Level Domains - TidBITS

Google’s new .zip top-level domain has raised concerns from the security community due to the ease with which it enables ambiguous URLs that could be used in phishing attacks.

1 Like

Wow. This definitely qualifies for the “What Were They Thinking?” award for 2023. Anyone with the slightest awareness of digital security would instantly see how a TLD that matches a common file extension is a bad idea. That Google pushed this through shows how little concern their decision-makers have for security.


The part that looks odd to me is the “github“ starting with a dot. I don’t see any mention of that. I’m not familiar with how that operates.

Anyway, I’ve been warning about Unicode in DNS for years. What if people can register “goօ”? Can you tell that one of the letters is really the ”o” from the Armenian alphabet?

It does seem that Namecheap is now disallowing that ambiguity, fortunately. But I’m not sure the rest of the Net has closed those loopholes. Maybe they will also close the one raised here.

1 Like

FWIW, my Mac running Firefox can (at least with the font configured for Arial) :

But I get your point. I’ve seen many examples that are virtually impossible to figure out by eye.


Yep, the glyphs are highly subjective, but Unicode has tons of similar looking characters, and it would be easy to find many renderings that are nearly indistinguishable using default settings. It’s a massive potential problem.

This is one of the best reasons for using a password manager like 1Password. You don’t enter your password because you visually trust the domain name that you see: you let 1P populate it for you based on its character-by-character analysis of the domain presented. You can’t trust your eyes. Trust the software.

1 Like

Btw, here’s how it looks in Safari on my Mac:


It is, although steps have been taken to reduce the problem by displaying the Punycode¹ associated with the domain. For example, all three browsers I have handy (Safari, Chrome, and Firefox) and Thunderbird display the goօ link as when hovering over it. The browsers also display the Punycode URL when pasting goօ

It does require someone actually look at the URL the browser shows in the URL bar, so it’s far from a perfect solution, but at least it’s a tool available.

¹ It’s recommended to only use ASCII domain names. Punycode is a way to encode Unicode characters in ASCII for use in domain names.

Apple Mail (on Big Sur) also displays the Punycode on hover. I just tested it on that link.

On Firefox (not sure about the others), there’s an internal configuration option so it only shows punycode in the address bar. I have this turned on for all my browsers.

Mozillazine: Network.IDN show punycode.

Hmm, in retrospect, perhaps I should modify this claim. Namecheap shows that my “funky” is “taken”. I assumed that meant they were coalescing the Unicode characters back to basic ASCII; but I might be wrong. It could be that Google took the initiative (and expense) of finding all the possible impersonation permutations and bought them up, so that they are truly “taken”.

And there are many permutations :-) I just tried “”, and you can see that someone is already playing that game.

That would be an interesting research project to investigate.

8 posts were split to a new topic: Arial vs Helvetica

I wonder if the Google Domains .zip decision stemmed from a lack of attention due to being shut down and sold off.