Empowering Users, Raising Awareness, and Mitigating Risks
Google’s .zip TLD and Information Security Concerns
I’m sure you’ve heard about the recent discussions surrounding Google’s release of the .zip Top Level Domain (TLD) to the public for registration. This move raises several concerns, especially within the domain investing and collecting community to which I belong. In this post, I want to touch on the surface-level implications from an Information Security perspective and explore ways to raise awareness among less technically inclined users. I want to make it clear that it is not the user’s fault for not understanding how these things work. It is not a rite of passage for shaming individuals, and I believe doing so only contributes to the issue. We need to work together to establish awareness so that everyone can browse the internet safely.
Background and Context
If you recall my previous LinkedIn Job Scam post, you’ll understand that while average individuals may have a vague sense of suspicion, they often lack the knowledge to validate their concerns. For instance, they may not know how to verify a domain’s authenticity using platforms like WHO.IS, or how to examine email headers for DKIM, DMARC, and SPF records.
What the Average Person Should Know
To better equip the average person, I believe it’s important for them to have a basic understanding of the following:
1. Registering a Domain Name
Knowing how to register a domain name empowers individuals to take ownership and control of their online presence.
2. The Role of ICANN
The organization responsible for regulating registrar policies and standards is ICANN (The Internet Corporation for Assigned Names and Numbers). Familiarity with ICANN’s role helps users navigate the domain landscape more effectively.
3. Utilizing WHOIS Records
Being able to search WHOIS records can provide valuable information about domain ownership and contact details, allowing users to verify the legitimacy of a website.
4. New and Potentially Deceptive Top Level Domains
Awareness of the existence of new, interesting top-level domains (TLDs) that could be used deceptively, such as .zip, .mov, .email, or even brandname+keyword.com, helps users exercise caution when encountering unfamiliar domains.
5. Staying Up-to-Date
Staying informed about developments in the domain name space is crucial. Resources like the TLD Release Schedule and NamePros can provide valuable updates and insights.
Potential Risks and Scams
Scammers often exploit deceptive URLs to mimic legitimate websites or trick users into downloading harmful content. For example, they might use a link like “attachment.zip” or create a fake Microsoft update with a .zip domain extension. These cleverly disguised links can easily deceive users into clicking, leading them to believe they’re accessing a trusted source.
One compelling example was discussed in a fantastic Medium post by a user named “Bobbyr.” He highlighted an old URL feature that remains somewhat obsolete in modern times but can be exploited with the new .zip TLD to deceive people. Here’s a similar example to the one he shared:
- Deceptive URL (take note of the slashes and the @):
- https:∕∕google.com∕location∕database∕@areacode.zip
- Genuine URL:
- https://google.com/location/areacode.zip
The only difference between the two URLs is the “@” and “/” symbols. In modern practice, we don’t really include passwords in URLs, but in the past, it was a feature. The presence of “@” in a URL designates everything before it as part of the username:password section. Anything after “@” becomes the domain name, rendering the username:password section irrelevant. The slashes in the deceptive URL are identical-looking “/” from a different set of keyboard characters.
While this practice is less common today, it allows for the registration of various domain names with legitimate-looking .zip TLDs, effectively deceiving users who don’t bother verifying the legitimacy of the links they click. This is especially true for those who are groggy and haven’t had their morning coffee yet, checking their emails first thing in the morning.
Raising Awareness
So, how can we raise awareness about these risks? If you’re reading this post, chances are you’re already within my circle of information security enthusiasts and are familiar with these concepts. However, there are countless individuals out there who lack knowledge of these fundamental concepts, such as what a domain name is, how to register one, and how to identify suspicious domains.
It surprises me how something as commonplace as domain names can be used by individuals without a true understanding of their significance or their historical context on the internet. It’s not their fault, as their expertise lies in other professions. We all need to collaborate and work together to bridge this knowledge gap.
The Importance of Raising Awareness
Just like any vulnerability that preys on people’s lack of knowledge, raising awareness is crucial for mitigating risks, whether in a corporate environment or among friends who may be uncertain about potential hacking attempts. However, it’s essential to approach this awareness campaign without humiliation. When we mock others for their mistakes, they become less likely to seek help in the future. Instead, we should approach them with humility, seeking to protect their assets and advocating for them when we identify potential threats before they do.
Let’s work together to ensure everyone has a basic understanding of domain security and can navigate the ever-evolving digital landscape safely.
Reporting Domain Names
ThioJoe has provided an excellent list from one of his videos, that I think is a great starting point. If you find a suspicious domain name, you can go through all these below to get them taken down from search engines.
Out of inspiration, I have created a site called ReportName.com where you can find an ever-growing list of report links. It is memorable and easy to tell people! That is key, for what I believe, in bridging the gap and raising awareness. That is the main reason I made this, because it’s much easier to point people to 1 link rather than 20. It has a client-side checklist so people can track their thought process for each report.
If you’d like to contribute to the project, you can email me at [email protected] or donate!
Credits and Resources
I would like to acknowledge the following individuals and resources for their valuable insights and contributions:
- Bobbyr: I highly recommend checking out Bobbyr’s Medium post on the dangers of Google’s .zip TLD, which sheds light on this topic. He goes really in depth and deploys a Flask app on an EC2 server as a real world scenario with an “evil.exe” His detection suggests are to look for U+2044 (⁄) and U+2215 (∕), @ operators followed by .zip, and to always be diligent and hover over the URL to see where it is going.
- LinkedIn Job Scam Post: Referencing my previous post that highlights the importance of vigilance when encountering job scams on LinkedIn.
- WHO.IS: A valuable website for searching WHOIS records to verify domain ownership and contact details.
- TLD Release Schedule: Stay up-to-date with the release schedule of new top-level domains (TLDs).
- NamePros: An online community providing insights and discussions related to domain names.
- ThioJoe provides a friendly explanation on .zip TLDs and how people can stay informed.
- Seytonic another excellent perspective on the situation.
- ReportName.com is a website created by myself, which makes the domain name reporting process easier. It will also eventually have links for all sorts of things, so be on the lookout for updates.
Please note that these resources have been instrumental in shaping the ideas presented in this post, and I encourage you to explore them for further information on the subject. I will continue to add more as I make updates. (Update: 5/21/2023)