Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


   Google's .zip Provides Another Reason to Beware of Wacky Top-Level Domains

   Adam Engst

   At Medium, [1]Bobbyr writes:

     Google launched a new TLD or 'Top Level Domain' of .zip, meaning you
     can now purchase a .zip domain, similar to a .com or .org domain for
     only a few dollars. The security community immediately raised flags
     about the potential dangers of this TLD. In this short write-up,
     we'll cover how an attacker can leverage this TLD, in combination
     with the @ operator and unicode character ' (U+2215) to create an
     extremely convincing phish.

   The .zip top-level domain is a terrible idea from a security
   perspective, and we can only hope that saner heads keep .jpg, .gif,
   .pdf, and .exe out of [2]the complete list of top-level domains.
   Amusingly, [3]Michael Tsai points out that the .zip proposal originally
   referred to Iomega's now-defunct Zip drives. Sadly, it wasn't denied
   like .floppy and .betamax.

   More generally, when I'm scrubbing spambot-created accounts from my
   WordPress setup, every email address ending in a wacky top-level domain
   is bogus. The moral of the story is that if you must register an
   unusual top-level domain for a Web project, don't also use it for
   email.

   [4]Read original article

References

   Visible links
   1. https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5
   2. https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
   3. https://mjtsai.com/blog/2023/05/17/zip-tld/
   4. https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5

   Hidden links:
   5. https://tidbits.com/wp/../uploads/2023/06/Google-zip-domain.png

.