deddit.petersanchez.com

are domains containing 'zip' near the end a legitimate threat?
from tisktisk@piefed.social to nostupidquestions@lemmy.world on 18 Aug 21:15
https://piefed.social/post/1160515

I’ve heard a decent argument why it should be avoided, and I’m curious to know to what degree. I understand avoiding .zip links, but should I go as far as to avoid .zip communities too? Where does this thinking become genuine paranoia?

#nostupidquestions #technology #tld #zip

threaded - newest

artiman@piefed.social on 18 Aug 21:35 next collapse

No where did you heard that from?

tisktisk@piefed.social on 18 Aug 21:51 collapse

https://lemmy.world/post/1588281
https://en.m.wikipedia.org/wiki/.zip_(top-level_domain)

tisktisk@piefed.social on 18 Aug 22:08 collapse

The ending closed parenthesis is needed for this link but I can't fix it sry

Ephera@lemmy.ml on 19 Aug 01:14 collapse

This might fix it on some clients (but probably breaks it on others): en.wikipedia.org/wiki/.zip_(top-level_domain)

unexposedhazard@discuss.tchncs.de on 18 Aug 21:37 next collapse

I dont think there are any valid technical insecurities. Its just a TLD like any other. The issue is just that people might get confused by it and that could be used for phishing stuff.

bamboo@lemmy.blahaj.zone on 18 Aug 21:50 next collapse

Exactly this, the .zip file extension is widely known, and now that it’s also a TLD, it can be confusing for some people. There’s no technical vulnerability, but the existence of .zip TLD just gives more ammo for phishing. For example, someone could register a domain name recent-bank-statements[.]zip (without brackets) and then have a subdomain for chase.com and send someone a link to https://chase.com.recent-bank-statements/[.]zip to “Download your bank statements”. If you’re not looking closely, you might not realize there is a . instead of a / and think that this link would go to chase.com When the site initiates a download of a zip file, you might trust the contents thinking it came from Chase and not a malicious link.

tisktisk@piefed.social on 18 Aug 22:15 collapse

Excellent explanation. So with this knowledge, should .zip sublemmy/communities be avoided as well or is this excessive for some reason?

Demigodrick@lemmy.zip on 18 Aug 22:41 next collapse

Just to clear up, you aren’t interacting with lemmy.zip communities directly from your instance. You never directly interface with lemmy.zip, instead the servers send copies of posts and comments between eachother.

There is no risk from lemmy.zip (obviously) - its a lemmy instance that’s been around over 2 years and is perfectly legitimate. There’s just as much risk from every other tld where people intentionally misspell company names or try to insert similar looking characters. Practice basic Internet security (i.e. dont click on links you aren’t expecting) and you’re pretty much covered.

tisktisk@piefed.social on 18 Aug 22:46 collapse

Holy God I didn't expect the admin of lemmy.zip to chime in.😊 I'm very appreciative of your work, please don't see this as FUD or shade-throwing. I'm just trying to understand and improve my general security practices as best I can.

Demigodrick@lemmy.zip on 18 Aug 23:14 collapse

Sorry but your posts are FUD. You’re trying to equate people misusing tlds (which happens across many other tlds) as somehow lemmy.zip is “bad” instance that should be avoided.

Not only is that not true, you are also purposely misunderstanding how federation works as if youre somehow safer not interacting with lemmy.zip. Again, not remotely true.

If you want to block .zip TLDs you go for it, no one is stopping you, but you may as well block .com TLDs while you’re at it as that’s where most scams take place.

bamboo@lemmy.blahaj.zone on 18 Aug 23:26 collapse

it’s excessive

tisktisk@piefed.social on 18 Aug 22:27 collapse

Should .zip communities be avoided for this potential confusion or no?

SEND_BUTTPLUG_PICS@lemmy.zip on 18 Aug 22:23 next collapse

I fucking hope not because I belong to lemmy.zip!

xavier666@lemmy.umucat.day on 19 Aug 07:31 collapse

@SEND_BUTTPLUG_PICS@lemmy.zip should I zip them and send?

NaibofTabr@infosec.pub on 18 Aug 22:28 next collapse

The “.zip” TLD isn’t itself a security risk, but it should never have been created in the first place due to the overlap with .zip files.

Understanding the context of why the .zip TLD is a bad idea, you should be questioning the general competence of a web admin that would intentionally purchase and operate a .zip website. There are plenty of other cheap TLDs available that do not overlap with common file extensions. It’s such an obvious and avoidable problem that you have to wonder what other obvious problems they are failing to avoid.

tisktisk@piefed.social on 18 Aug 22:36 next collapse

Well put. Your explanation has me most confident I should avoid lemmy.zip communities for the time being--thx

jaybone@lemmy.zip on 18 Aug 23:00 next collapse

lol there is nothing wrong with Lemmy.zip. It’s a legit Lemmy instance and the communities are safe.

The concern is that someone might try to make a website / URL appear to be a zip file you can download and open. But Lemmy.zip is not doing that.

Also you are on a different Lemmy instance, so you never interact with Lemmy.zip directly. Instead, behind the scenes, your instance exchanges data with Lemmy.zip, and all other instances it is federated with, regardless of whether you personally subscribe to any .zip communities or not.

tisktisk@piefed.social on 18 Aug 23:07 collapse

If the concern is legit, wouldn't it be an ethical practice to not support services that use the problematic TLD?

Rhynoplaz@lemmy.world on 18 Aug 23:28 collapse

Not everything needs an ethical practice.

BootLoop@sh.itjust.works on 19 Aug 12:54 collapse

Lemmy communities are run by volunteers who are often footing the bill themselves to run. Without these people Lemmy would not exist. One/some of these people decided to save themselves a few bucks a month and get a .zip domain. There’s nothing wrong with lemmy.zip

actionjbone@sh.itjust.works on 18 Aug 23:30 collapse

I do not disagree, though I’m curious on your take of .COM since that has always had the same issue.

Scrollone@feddit.it on 19 Aug 05:07 next collapse

The difference is they everybody knows about zip files, even my old mom. Not so much for com executables. That’s why it can lead to phishing, etc.

NaibofTabr@infosec.pub on 21 Aug 03:38 collapse

Basically, .COM files are not commonly used and definitely not commonly shared on the Internet. The overlap between use cases for .COM files and .com TLDs is almost nothing.

In contrast, .ZIP files are very commonly shared on the Internet as a convenient way to transfer a group of files all at once, and there are a few different techniques for using .ZIP files maliciously. There is a lot more potential for conflicts between .ZIP files and the .zip TLD on the Internet.

aviationeast@lemmy.world on 18 Aug 23:58 next collapse

Waiting for Lemmy.exe

captainlezbian@lemmy.world on 19 Aug 04:36 collapse

That’ll just install arch and delete windows

fuckwit_mcbumcrumble@lemmy.dbzer0.com on 19 Aug 04:49 collapse

What would lemmy.sh do? Install the latest screenfetch and post it online?

Cevilia@lemmy.blahaj.zone on 19 Aug 06:56 collapse

lemmy.sh would order hormones and programmer socks.

TriflingToad@sh.itjust.works on 19 Aug 03:22 next collapse

yeah id say so, tech literacy is bad as is. Adding to the scams is the last thing we need.

However it’s like any other .com just with a more customizable name, like files.catbox.moe fits because the site is decorated with anime drawings (moe definition).
for a techy website .zip is fine, as long as they’re not using it as an attempt to scam.

lemmy.zip is perfectly a-ok in my eyes

missingno@fedia.io on 19 Aug 05:23 collapse

There's an argument to be made that ICANN shouldn't have made .zip a valid TLD due to potential confusion. But that's ICANN's problem, and it's a bit too late to undo that mistake now. You don't need to worry that there's something wrong with a Fediverse instance using it. As long as you can tell the difference between a community and a zip file, nothing bad is going to happen.