Post AWwu0D7Mcv9PI7vf96 by tuxicoman@social.jesuislibre.net
(DIR) More posts by tuxicoman@social.jesuislibre.net
(DIR) Post #AWRpks4N1PKgInFkpM by suprjami@fosstodon.org
2023-05-17T02:35:54Z
31 likes, 62 repeats
The new ".zip" domain is being used almost solely for malware. Some of the clicks are very deceptive, even to technically knowledgeable people. See the attached image for an example.You can block all zip domains with the following uBlock Origin rule:||zip^Tell everyone you know.
(DIR) Post #AWRq6jIOK6fJSfEaIq by VD15@pl.valkyrie.world
2023-06-07T12:31:04.175665Z
1 likes, 0 repeats
@suprjami google and it’s consequences
(DIR) Post #AWRqqUKyGpQOODGChM by francisscottkey@noagendasocial.com
2023-06-07T12:39:21Z
0 likes, 0 repeats
@suprjami Who would have thought? 🤔 😉
(DIR) Post #AWRrlpmtBv4jQGfCGu by PodunkPotato@nicecrew.digital
2023-06-07T12:49:43.437495Z
0 likes, 1 repeats
Who possibly thought that this was a good idea? I don't see the non-malicious case at all.
(DIR) Post #AWRs8ARV4puPr0JAie by VD15@pl.valkyrie.world
2023-06-07T12:53:42.540597Z
0 likes, 0 repeats
@PodunkPotato @suprjami funny yourmom.zip domain name?
(DIR) Post #AWRtL0XdIfoyrgraTI by sullybiker@sully.site
2023-06-07T13:07:14Z
0 likes, 0 repeats
@suprjami Didn't virtually every infosec person say this would happen?
(DIR) Post #AWRwtzQbjO61PTwwCG by apropos@freespeechextremist.com
2023-06-07T13:47:13.770991Z
1 likes, 0 repeats
@PodunkPotato @VD15 @suprjami silghtly bigger problem with the examples is that any browser would respect a punycode domain with unicode slashes. You really needed to move from light restrictions to no restrictions at all? Just because the dumb idea of "emoji domains" distracted you?
(DIR) Post #AWRxXGNGexG7GG79YO by feld@bikeshed.party
2023-06-07T13:53:51.156094Z
0 likes, 0 repeats
Show me a browser that parses that URL in such a way that everything before the @ is treated as HTTP Basic authentication?
(DIR) Post #AWRxuQfKYwxBq7br4i by feld@bikeshed.party
2023-06-07T13:58:08.392987Z
0 likes, 0 repeats
Let's try trurl, the URL parsing logic for Curloh look, it does the right thing too
(DIR) Post #AWRyMz5QBFWihbQgTo by feld@bikeshed.party
2023-06-07T14:03:15.467614Z
0 likes, 0 repeats
Ruby:
(DIR) Post #AWRyXPDDtrbqcs32KO by feld@bikeshed.party
2023-06-07T14:05:13.351818Z
0 likes, 0 repeats
Python urllib3
(DIR) Post #AWRyYco0qUbL4gpyaG by SlicerDicer@bikeshed.party
2023-06-07T14:05:43.801877Z
0 likes, 0 repeats
@feld Still confused if paper is the problem or not. In the meantime? The solution is to ban the internet.
(DIR) Post #AWRyiXKA5394yCbJwG by hakui@tuusin.misono-ya.info
2023-06-07T14:07:33.601274Z
1 likes, 0 repeats
@suprjami the one with the @i've read that article before :smug1:
(DIR) Post #AWRz4Uujio5HrlBFOy by tk@bbs.kawa-kun.com
2023-06-07T14:10:59.665530Z
0 likes, 0 repeats
@SlicerDicer @feld https://12022021endofinternet.com/
(DIR) Post #AWS0AkXKeNwY0gmJTE by pyrate@nicecrew.digital
2023-06-07T14:23:51.768992Z
0 likes, 0 repeats
@ symbol - calling external site.
(DIR) Post #AWS25ObwwQRYTBVrw8 by sjb@mstdn.io
2023-06-07T13:40:19Z
0 likes, 1 repeats
@suprjami It feels the real mistake here was allowing the whole of unicode in domain names. Perhaps select one language for each URL and stick with it but mixing 10000 different symbols is going to lead to weird stuff like this
(DIR) Post #AWT8c17K6dWq2m5Nrs by teilweise@layer8.space
2023-06-07T15:31:40Z
0 likes, 0 repeats
@feld Try to copy & paste this URL: https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip(Not everything that looks like a ∕ is a /.)The problem with .zip is that it is widely seen as a “safe” extension. (Otherwise .com would have been an even bigger problem …)
(DIR) Post #AWT8c25aUZjb3gHVnk by feld@bikeshed.party
2023-06-08T03:32:35.067888Z
0 likes, 0 repeats
Ok, but this is a problem that can be solved with a tiny patch that won't break anything: disallow HTTP basic auth embedded in URLs if any character codepoint is > 127. Require a pop up to enter the user/pass or just give an error about an invalid URL.Unicode characters here should definitely need to be explicitly encoded as base64 for the Authorization header.Anyone who *needs* this to work with Unicode characters can piss off. I'm willing to bet the RFCs don't have any MUST or SHOULD that mention non-ASCII characters be allowed here.Tada, we fixed it and everyone can put down their keyboards and stop crying about new TLDs
(DIR) Post #AWTS7iZwSthcwZIliy by bjb@fosstodon.org
2023-05-17T02:50:44Z
1 likes, 0 repeats
@suprjami The slashes in the path part of the first url look different than the slashes in the scheme and everywhere in the second url. So my guess is that the first url is the malicious one.I would have missed it if I hadn't been looking for a difference though. Thanks for the info.
(DIR) Post #AWTS7jb2gIB26GpA4u by paul@notnull.click
2023-06-08T07:11:41.697845Z
0 likes, 0 repeats
@bjb @suprjami interesting view - you're right about which one's malicious but not right about why... sort ofthe first URL has an @ symbol in it before the v1271.zip. the @ symbol in a URL is actually a separater between user and URL (you could have "username:password@web.site") so the first one tries to log in as "https://github.com/....." at (@) v1271.zip - so in actual fact the website you're going to is v1271.zip, not github at all. what you say about the slashes is interesting though, as whatever is styling the URL is almost helping highlight the problem. the correct link is completely a link, so all slashes are styled the the same, but the malicious link isn't completely a link so some slashes are styled differently to the actual link ones.man this is hard to explain, I know you're fairly techy so I skipped some explanation, but try explaining that to a regular person!
(DIR) Post #AWTzVowfk6pe7v2C2q by teilweise@layer8.space
2023-06-08T07:09:32Z
0 likes, 0 repeats
@feld Sure, I’ll change my name to not contain unicode characters.Nobody needs unicode. Actually, BCDIC was good enough. Nobody needs uppercase characters in URLs.It’s OK, I will just piss off.Welcome to the kill file.
(DIR) Post #AWTzVpdv9JQWI3GjSK by feld@bikeshed.party
2023-06-08T13:25:27.484834Z
0 likes, 0 repeats
@teilweise Stop using basic auth and join us in the 21st century. It's not like you couldn't just change your username.If you were using LDAP, AD, Kerberos, OAuth, OpenID, etc you wouldn't be able to use HTTP Basic auth anyway.Complaining that you can't use Unicode characters that didn't even exist when the RFC was written is hilarious though.
(DIR) Post #AWUAMuqDYG5pImyIq0 by icedquinn@blob.cat
2023-06-08T15:27:30.810250Z
0 likes, 0 repeats
@suprjami :comfyglare: these are both .com domains
(DIR) Post #AWUBFM5qRexXSbEwGO by teknomunk@apogee.polaris-1.work
2023-06-08T15:37:20Z
1 likes, 0 repeats
@icedquinn @suprjami See https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5 this explanation.
(DIR) Post #AWUEOokxXs9OpHfskS by seanking@kazv.moe
2023-06-08T16:12:40.480656Z
0 likes, 0 repeats
@suprjami I looked up to see if this TLD was now a thing and it is....Google, are the .mov and .zip TLDs an out-of-season April Fools' joke? https://www.registry.google/announcements/launch-details-for-eight-new-tlds/
(DIR) Post #AWue8WINEHxGin9WVs by chucker@norden.social
2023-06-21T02:36:24Z
1 likes, 0 repeats
@paul @bjb @suprjami the fake slashes are critical to the attack. They become part of the basic auth user name. If they were real slashes, the browser would treat them as part of the path.
(DIR) Post #AWueQHbaaMWKNDbuoy by paul@notnull.click
2023-06-21T10:06:42.688011Z
0 likes, 0 repeats
@chucker @bjb @suprjami interesting and a really good point! I hadn't considered that.Imagine trying to explain that to somebody who had just downloaded the malware though!
(DIR) Post #AWwhliQ8lKY8a827vc by ScriptFanix@pouet.chapril.org
2023-06-07T23:15:39Z
0 likes, 0 repeats
@tizilogicThey didn't. The domain starts after the @@bjb @suprjami
(DIR) Post #AWwhljChqlOj0kkucy by ScriptFanix@pouet.chapril.org
2023-06-07T23:19:26Z
0 likes, 0 repeats
@tizilogicA bit more explaining: it's standard to write URLs that require authentication as http://username:password@example.com. so here, the weird part containing fake Unicode / is a username that the browsers will send like it's a basic auth @bjb @suprjami
(DIR) Post #AWwhljzGwCFJRNThKK by apokrif@mamot.fr
2023-06-21T02:10:37Z
0 likes, 0 repeats
@ScriptFanix Could a (opt-outable) warning message be displayed when a URL contains what may be misleading authentication data? @tizilogic @bjb @suprjami
(DIR) Post #AWwhlkmC0JNTt6MlZw by breizh@pleroma.breizh.pm
2023-06-21T22:33:54.248086Z
0 likes, 0 repeats
@apokrif @ScriptFanix @tizilogic @bjb @suprjami Firefox is doing it for ages now.
(DIR) Post #AWwhllSjS9PC12Gjsu by breizh@pleroma.breizh.pm
2023-06-21T22:38:40.015732Z
1 likes, 0 repeats
@apokrif @ScriptFanix @bjb @suprjami @tizilogic Translation :You are about to connect to “breizh.pm” with the username “breizh”, but this website does not require authentication. This may be an attempt to mislead you.Is “breizh.pm” the site you want to visit?(there is no auth on this website normally, that’s not a leak)This type of phishing isn’t new. It’s just a bit prettier than before.
(DIR) Post #AWwhlq6aBveuPmwcYS by breizh@pleroma.breizh.pm
2023-06-21T22:41:29.718321Z
0 likes, 0 repeats
@ScriptFanix @apokrif @bjb @suprjami @tizilogic (if the website have an auth, then it just says “You’re about to connect on “breizh.pm” with the username “breizh””, so you’re still warned, you just don’t have the extra part about the fact that the site isn’t supposed to have auth. Even with a password)
(DIR) Post #AWwhluNOJNTrf4q6JE by ScriptFanix@pouet.chapril.org
2023-06-07T23:21:30Z
0 likes, 0 repeats
@tizilogicTo summarize: be wary of URLs containing @@bjb @suprjami
(DIR) Post #AWwhlw8vk76N8o5a2y by ScriptFanix@pouet.chapril.org
2023-06-07T23:43:50Z
0 likes, 0 repeats
@tizilogicFinal note: here, the domain is 1.zip. owners of that domain can create any subdomain they want, with unicode if they choose to.Final final note: a Unicode domain will be changed by the browser to some weird string beginning with xn--. The user may or may not see this when the browser starts the download, depending of how they implements stuff (though probably not)@bjb @suprjami
(DIR) Post #AWwu0D7Mcv9PI7vf96 by tuxicoman@social.jesuislibre.net
2023-06-22T12:10:41Z
0 likes, 0 repeats
@suprjami the first one has 2 links : the @ is not underscored?I dont get the trick if this is the issue. A web designer can put different href than what is displayed (even change the href on click with javascript)