Don’t panic. Google offering scary .zip and .mov domains is not the end of the world

Comment In early May, Google Domains added support for eight new top-level domains, two of which – .zip, and .mov – raised the hackles of the security community.

The reason, of course is, that .zip and .mov are both file extensions. So there’s concern that a miscreant could employ these TLDs to confuse people by visiting a malicious website rather than opening a file, among other threat scenarios.

A security researcher who goes by the name “bobbyr” offered an example of the problem with Google’s movein a blog post on Tuesday. They pointed out that by abusing a known Chrome behavior – one Google has decided not to fix – it’s possible to construct a URL with a Unicode character that displays as a slash – U+2215 (∕) – but isn’t treated as a slash when the browser fetches the URL.

And by adding the @ operator in the URL – used to delimit the user information (RFC 3986) part of the URL scheme and ignored in most modern browsers because embedded authentication is somewhat unsafe – this link …∕kubernetes∕kubernetes∕archive∕refs∕tags∕

… gets treated as …

… because everything before the @ delimiter is treated as user information.

The resulting domain could be registered and used to host, say, a Flask application that responds to any request with a malicious .exe file.

That URL parsing behavior is evident if the above URL is pasted into the Chrome omnibox. Chrome will show the

Read more

Explore the site

More from the blog

Latest News