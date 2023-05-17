



Comments Earlier in May, Google Domains added support for eight new top-level domains. Two of them, .zip and .mov, caused confusion in the security community.

The reason, of course, is that both .zip and .mov are file extensions. So there is concern that criminals could take advantage of these his TLDs to visit malicious websites rather than open files and confuse people. There are other threat scenarios as well.

A security researcher who goes by the name “bobbyr” gave an example of the problem with Google’s move in a blog post on Tuesday. By exploiting a known Chrome behavior that Google has decided not to fix, they contain Unicode characters that appear as slashes U+2215() but are not treated as slashes when the browser retrieves the file. You pointed out that it is possible to construct a URL. URLs.

Also, adding the @ operator to the URL used to delimit the user information (RFC 3986) part of the URL scheme will cause embedded authentication to be insecure and will be ignored by most modern browsers.This link is

https://[email protected]

treated as

v1271.zip

This is because everything before the @ delimiter is treated as user information.

The resulting v1271.zip domain can be registered and used to host a Flask application that responds to any request with a malicious .exe file.

This URL parsing behavior is evident when pasting the above URL into the Chrome omnibox. Chrome shows the actual abbreviated address (everything to the right of the @ symbol) above the URL as a search query.

Screenshot of .zip domain with Unicode slash characters Click to enlarge

“bobbyr” claims that this technique works even better with email clients such as the web version of Gmail. In the web version of Gmail, you can set the @ symbol to a hidden font size to make your URLs look more compelling.

However, other email clients are different. For example, Apple Mail hyperlinks the github.com portion of the URL as a link, simply stopping at U+2215 () to prevent accidental formation of insecure links to the v1271.zip domain.

There is some risk of confusion, but not much more than the current situation allows for quite a few issues related to name duplication, isographs, and related concerns. As others have pointed out, .com was once a common Windows file extension, and his Polish CC-TLD (.pl) is still Perl’s file extension. Saint Helena’s CC-TLD (.sh) is also the file extension for shell scripts, and the Republic of Serbia shares her CC-TLD (.rs) with the Rust file extension.

“Not bad, actually.”

Eric Lawrence, Microsoft’s principal software engineer and veteran browser wrangler, recently called the arrival of .zip and .mov “not bad, actually.”

Lawrence acknowledged in his blog post that there could be some risk in the application’s automatic hyperlinking mechanism, namely the email client that converts “VacationPhotos.zip” into link text pointing to the corresponding .zip domain. ing. However, this is not a particularly exciting attack vector, nor is it likely, he argued, suggesting that it might be a good idea to exclude these specific domains from your app’s hyperlink routines. there is

Lawrence also expressed suspicion that URLs are already obfuscated, and that .zip and .mov make them even more obfuscated. “URLs are already incredibly nuanced, and relying on a user to be able to parse his URL correctly in his head is in many ways a futile proposition,” he argued.

Finally, he sees a potential advantage to new TLDs in that new domains can be deployed with stricter security defaults for registrars. He notes that .zip and .mov are one of his 40 TLDs on the HTTPS Strict Transport Security (HSTS) preload list. HSTS tells browsers to automatically use secure TLS by default.

Google expressed a similar view in an email to The Register, acknowledging the potential for abuse, but arguing that the risks were both familiar and manageable.

“The risk of confusion between domain names and filenames is nothing new,” the spokesperson said. For example, the 3Ms Command product uses the domain name command.com, which is also an important program in early versions of MS-DOS and Windows. ”

“Applications have mitigations for this (such as Google Safe Browsing), and these mitigations also apply to TLDs such as .zip. At the same time, new namespaces allow naming such as community.zip and url.zip opportunities for

“Google takes phishing and malware seriously, and the Google Registry has existing mechanisms to suspend or remove malicious domains across all TLDs, including .zip. We will continue to monitor TLD usage and take action as new threats emerge.” Please take appropriate steps to protect your users. ”

