.zip and .mov TLDs
-
@julian said in Who is using NodeBB?:
@phenomlab Perhaps one can drive home the point by registering
quarterlyreports.zip
and having it serve a zip bombBut you could do that with a .com and make the opposite point, too. The only real answers are... good users, good secure processes/procedures/platforms. Bandaids are the most dangerous things because it makes people feel that they can act recklessly and blame IT, when in reality nothing was done to protect them.
-
@phenomlab said in Who is using NodeBB?:
@scottalanmiller I'll just leave this here.
".Zip" top-level domains draw potential for information leaks
As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server
Cisco Talos Blog (blog.talosintelligence.com)
Plus, the fact that they are used to register legitimate domain names for nefarious purposes as likely few have actually thought of registering it themselves.
In the Information Security arena I am in, the frequency of these domains being used in attacks is increasing daily.
So this article is a perfect example of what I mean. Let me quote some:
"How URLs based on filenames can leak information
Talos assesses that domains employing “.zip” and similar TLDs increase the likelihood of sensitive information disclosures through unintended DNS queries or web requests. With the availability of the new “.zip” TLDs, messaging applications like Telegram or internet browsers began reading strings ending in “.zip” as URLs and automatically hyperlinking them. This is especially problematic in chat applications, which sometimes trigger a DNS or web request to show a thumbnail of the linked page. For example, the following chat application changed what was meant to be the name of a file “update[.]exe[.]zip” to a hyperlink pointing to the URL “https[://]update.exe[.]zip”:"
So instead of highlighting the ACTUAL security issue of automatically choosing any string as a URL and hyperlinking it and fetching it and sending DNS to public space (wow, that's a lot of mistakes to make this happen) and blaming the use of insecure products, they point to the benign .zip URL. Because they are trying to cover up the actual security holes.
This is the same Cisco who ten years ago told me I needed a terabyte fiber link to my desktop or YouTube wouldn't work. I'd never put Cisco and security together in a sentence. That's a company whose claim to fame is selling smoke and mirrors to upper management and bypassing IT decision making. Their articles aren't for IT people, they are just selling FUD to management so that they can sell their useless products.
-
If I'm leaking all that data, I'm leaking that data regardless of the .zip domain. What Cisco is proposing is hiding the security risk rather than addressing it. If someone on my security team said this to me, I'd be pretty upset. If I said this when working on Wall St. I'd expect to probably be in big trouble if not lose my position. This isn't a little mistake but a fundamental misunderstanding of security (and IT basics.) Whoever wrote this article isn't even a casual, junior security person. Nor a casual IT one. If this person was hired to work in security and claimed to have security experience, I'd be worried about professional negligence lawsuits if something bad happened.
This is like finding out that your team is taking private company data and putting it outside on the lawn for anyone to grab. And instead of telling them to not do that anymore, asking them to write "Private, don't look" on the envelope.
-
@julian said in Who is using NodeBB?:
@phenomlab Perhaps one can drive home the point by registering
quarterlyreports.zip
and having it serve a zip bombThere was 42.zip that hosted the obvious (the 42.zip fork bomb), but Google suspended it for phishing so now it just redirects to a tweet about the suspension
Tbh. the most absurd part of
.mov
/.zip
is that Google dropped them and then, just a month later, let Squarespace announce that they're killing (selling) Google Domains (they now at least have a support article I guess, but a lack of communication from their side was rather absurd here too).So now it'll not even be their problem (when it comes to policy enforcement) soon.
-
@phenomlab said in Who is using NodeBB?:
@julian I have a load of domains hosted there. They are very cheap as a registrar and they have arguably the fastest DNS on the planet.
Fast like CloudFlare?
-
@scottalanmiller fastest DNS. I don't use their other services.
-
@phenomlab said in Who is using NodeBB?:
@scottalanmiller fastest DNS. I don't use their other services.
I mean just DNS. CloudFlare's biggest thing has always been the fastest DNS on the market. I'd be interested who else is even in their category.
-
@scottalanmiller there isn't from recollection or my own personal experience
-
@phenomlab said in Who is using NodeBB?:
@scottalanmiller there isn't from recollection or my own personal experience
I'm confused, lol. Are you saying you use CloudFlare too for DNS?
-
@julian I doubt Cloudflare will abandon their domain registry even if it doesn't make them much money (they might just raise prices to have some profit... which is how most registrars do it anyway, they claim to be selling at essentially registrar prices), since their core product is related to providing DNS. They have a relatively limited TLD support for now though, but it's getting better and obviously have the most popular options.
Also, they probably won't kick you off, considering it took literal terrorism for them to drop 8chan and a long public campaign to drop Kiwifarms...I don't think DigitalOcean has a registrar, so that's probably not an option.
I remember that Namecheap had problems with very slow responses to abuse reports (phishing mostly), but apparently they improved a lot on this front, so they're probably fine now - but I don't have much experience with them outside of that aspect.
An option I personally went with for a domain that CF doesn't support is Porkbun. Decent pricing (also they have a $1 off promotion on transfers from Google Domains), some sense of humor and the company is owned by the creator of ICANNWiki, so they seem to be all-in on domains
Personally I also use OVH, but that's primarily for
.pl
domains (and a single.uk
that they apparently missed the price increase for, so I'm paying below registrar prices for it...), but I'm not sure if I'd recommend them over other options like CF. -
@oplik0 said in .zip and .mov TLDs:
@julian I doubt Cloudflare will abandon their domain registry even if it doesn't make them much money
I'd say especially because of this. It's a zero profit item and they knew that going in. So it has no need to make money. They make bank in other areas, they are enormous now. And the cost of being a registrar is extremely low. So I'm sure it doesn't even show up on their radar.
-
@scottalanmiller I'd say it's less that cost of being a registrar is extremely low in general (support, and especially handling abuse, does require some headcount), but rather that it integrates cleanly into all of their other services as they need to handle most of the stuff related to domains anyway:
- DNS management? That's part of their core service
- Abuse reporting for domains? They proxy domains anyway, so they're handling a lot of this anyway (they do block domains for phishing or malware at least)
- Support that knows how domains and DNS works? Again, they need this for their core service
- TLS? Again, they do that for their core service
- heck, they're even offering stuff like email forwarding for any domain that uses them as DNS, so no need to do it separately
So they just profit from what most others need to use as bonus incentives to buy domains from them
-
@oplik0 said in .zip and .mov TLDs:
just a month later, let Squarespace announce that they're killing (selling) Google Domains
They sold the Domain Registrar, they still own the TLD side of the business.
-
I'm also still have doubts regarding all those new gTLDs that are coming in drives. Regardless, I caved in and purchased a .community for my site. Namecheap have that first year discount.
I remember somewhere that you have to pay $100k or something at the very least if you want to have your own .customdomain
Has there ever been recorded in history that a generic top level domain has dieded because of the Domain Registrar couldn't afford to renew the contract? Be it due to few people using it, etc
-
@scottalanmiller said in .zip and .mov TLDs:
I'm confused, lol. Are you saying you use CloudFlare too for DNS?
Yes
-
@cat said in .zip and .mov TLDs:
I remember somewhere that you have to pay $100k or something at the very least if you want to have your own .customdomain
In the last round it was $185k, but that's the application fee - maintenance costs around $25k a year + $0.25 per domain if there are more than 50k registered domains under that TLD. And this is assuming there isn't any conflict with the registration. Auctions ended much higher than 185k. AFAIK
.web
is the current record holder at $135 million.And the cost for the next round is expected to be higher...
ICANN literally doesn't even know what to do with all this money. Especially since they ended up with a lot more than expected from auctions. They had to create a "New gTLD Auction Proceeds Cross-Community Working Group" whose work, after 5 years, resulted in creation of ICANN Grant Giving Program, which suggests they still have no real idea of what to do with it so just created a way for others to suggest their own ideas.
Has there ever been recorded in history that a generic top level domain has dieded because of the Domain Registrar couldn't afford to renew the contract? Be it due to few people using it, etc
I don't think so, and theoretically the initial cost includes money ICANN allocates for related contingencies (I think mainly lawsuits, but suspect it could be used to hold an auction for a failing gTLD). Not to mention that unless it's a specific brand TLD the owner would likely try to sell it themselves first.