.zip and .mov TLDs
-
@julian said in Who is using NodeBB?:
@scottalanmiller I am paraphrasing, but iirc the concern is that it short-circuits common wisdom to "check the url before clicking". For example, I could craft an anchor to this attachment which on cursory glance looks to be a file, but is in fact a website.
A lot of it relies on people being dumb. Most competent tech people can see that URL and know it's a domain, not an attachment... however "people" are often the weakest link, security-wise.
Edit: Originally, the url I chose was
malicious.zip
, but when I tested it, it downloaded a zip file to my computer suffice to say I deleted it immediately.But that's what I was saying... the risk isn't the URL, it's using an operating system that uses three letter name extensions to denote behavior is inherently risky and if people were ACTUALLY concerned with security at all, they would react rationally instead of emotionally, and have long ago moved away from Windows and actually fixed this risk. Avoiding legit domains because their users are too dumb and their security allowed Windows through seems more like an admission of failure and a tacit disregard for actual security. As we say in IT "politics over profits"... looking to clueless managers like we are doing something, rather than actually doing what we are supposed to do.
In most settings, users shouldn't work working with files at all in modern workflows. But that's another level beyond just moving to more secure operating system platforms and processes.
-
@julian said in Who is using NodeBB?:
@phenomlab Perhaps one can drive home the point by registering
quarterlyreports.zip
and having it serve a zip bombBut you could do that with a .com and make the opposite point, too. The only real answers are... good users, good secure processes/procedures/platforms. Bandaids are the most dangerous things because it makes people feel that they can act recklessly and blame IT, when in reality nothing was done to protect them.
-
@phenomlab said in Who is using NodeBB?:
@scottalanmiller I'll just leave this here.
".Zip" top-level domains draw potential for information leaks
As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server
Cisco Talos Blog (blog.talosintelligence.com)
Plus, the fact that they are used to register legitimate domain names for nefarious purposes as likely few have actually thought of registering it themselves.
In the Information Security arena I am in, the frequency of these domains being used in attacks is increasing daily.
So this article is a perfect example of what I mean. Let me quote some:
"How URLs based on filenames can leak information
Talos assesses that domains employing “.zip” and similar TLDs increase the likelihood of sensitive information disclosures through unintended DNS queries or web requests. With the availability of the new “.zip” TLDs, messaging applications like Telegram or internet browsers began reading strings ending in “.zip” as URLs and automatically hyperlinking them. This is especially problematic in chat applications, which sometimes trigger a DNS or web request to show a thumbnail of the linked page. For example, the following chat application changed what was meant to be the name of a file “update[.]exe[.]zip” to a hyperlink pointing to the URL “https[://]update.exe[.]zip”:"
So instead of highlighting the ACTUAL security issue of automatically choosing any string as a URL and hyperlinking it and fetching it and sending DNS to public space (wow, that's a lot of mistakes to make this happen) and blaming the use of insecure products, they point to the benign .zip URL. Because they are trying to cover up the actual security holes.
This is the same Cisco who ten years ago told me I needed a terabyte fiber link to my desktop or YouTube wouldn't work. I'd never put Cisco and security together in a sentence. That's a company whose claim to fame is selling smoke and mirrors to upper management and bypassing IT decision making. Their articles aren't for IT people, they are just selling FUD to management so that they can sell their useless products.
-
If I'm leaking all that data, I'm leaking that data regardless of the .zip domain. What Cisco is proposing is hiding the security risk rather than addressing it. If someone on my security team said this to me, I'd be pretty upset. If I said this when working on Wall St. I'd expect to probably be in big trouble if not lose my position. This isn't a little mistake but a fundamental misunderstanding of security (and IT basics.) Whoever wrote this article isn't even a casual, junior security person. Nor a casual IT one. If this person was hired to work in security and claimed to have security experience, I'd be worried about professional negligence lawsuits if something bad happened.
This is like finding out that your team is taking private company data and putting it outside on the lawn for anyone to grab. And instead of telling them to not do that anymore, asking them to write "Private, don't look" on the envelope.
-
@julian said in Who is using NodeBB?:
@phenomlab Perhaps one can drive home the point by registering
quarterlyreports.zip
and having it serve a zip bombThere was 42.zip that hosted the obvious (the 42.zip fork bomb), but Google suspended it for phishing so now it just redirects to a tweet about the suspension
Tbh. the most absurd part of
.mov
/.zip
is that Google dropped them and then, just a month later, let Squarespace announce that they're killing (selling) Google Domains (they now at least have a support article I guess, but a lack of communication from their side was rather absurd here too).So now it'll not even be their problem (when it comes to policy enforcement) soon.
-
@phenomlab said in Who is using NodeBB?:
@julian I have a load of domains hosted there. They are very cheap as a registrar and they have arguably the fastest DNS on the planet.
Fast like CloudFlare?
-
@scottalanmiller fastest DNS. I don't use their other services.
-
@phenomlab said in Who is using NodeBB?:
@scottalanmiller fastest DNS. I don't use their other services.
I mean just DNS. CloudFlare's biggest thing has always been the fastest DNS on the market. I'd be interested who else is even in their category.
-
@scottalanmiller there isn't from recollection or my own personal experience
-
@phenomlab said in Who is using NodeBB?:
@scottalanmiller there isn't from recollection or my own personal experience
I'm confused, lol. Are you saying you use CloudFlare too for DNS?
-
@julian I doubt Cloudflare will abandon their domain registry even if it doesn't make them much money (they might just raise prices to have some profit... which is how most registrars do it anyway, they claim to be selling at essentially registrar prices), since their core product is related to providing DNS. They have a relatively limited TLD support for now though, but it's getting better and obviously have the most popular options.
Also, they probably won't kick you off, considering it took literal terrorism for them to drop 8chan and a long public campaign to drop Kiwifarms...I don't think DigitalOcean has a registrar, so that's probably not an option.
I remember that Namecheap had problems with very slow responses to abuse reports (phishing mostly), but apparently they improved a lot on this front, so they're probably fine now - but I don't have much experience with them outside of that aspect.
An option I personally went with for a domain that CF doesn't support is Porkbun. Decent pricing (also they have a $1 off promotion on transfers from Google Domains), some sense of humor and the company is owned by the creator of ICANNWiki, so they seem to be all-in on domains
Personally I also use OVH, but that's primarily for
.pl
domains (and a single.uk
that they apparently missed the price increase for, so I'm paying below registrar prices for it...), but I'm not sure if I'd recommend them over other options like CF. -
@oplik0 said in .zip and .mov TLDs:
@julian I doubt Cloudflare will abandon their domain registry even if it doesn't make them much money
I'd say especially because of this. It's a zero profit item and they knew that going in. So it has no need to make money. They make bank in other areas, they are enormous now. And the cost of being a registrar is extremely low. So I'm sure it doesn't even show up on their radar.
-
@scottalanmiller I'd say it's less that cost of being a registrar is extremely low in general (support, and especially handling abuse, does require some headcount), but rather that it integrates cleanly into all of their other services as they need to handle most of the stuff related to domains anyway:
- DNS management? That's part of their core service
- Abuse reporting for domains? They proxy domains anyway, so they're handling a lot of this anyway (they do block domains for phishing or malware at least)
- Support that knows how domains and DNS works? Again, they need this for their core service
- TLS? Again, they do that for their core service
- heck, they're even offering stuff like email forwarding for any domain that uses them as DNS, so no need to do it separately
So they just profit from what most others need to use as bonus incentives to buy domains from them
-
@oplik0 said in .zip and .mov TLDs:
just a month later, let Squarespace announce that they're killing (selling) Google Domains
They sold the Domain Registrar, they still own the TLD side of the business.
-
I'm also still have doubts regarding all those new gTLDs that are coming in drives. Regardless, I caved in and purchased a .community for my site. Namecheap have that first year discount.
I remember somewhere that you have to pay $100k or something at the very least if you want to have your own .customdomain
Has there ever been recorded in history that a generic top level domain has dieded because of the Domain Registrar couldn't afford to renew the contract? Be it due to few people using it, etc