You know it's bad when you're relatively tech savvy but can confidently say you would fall for something...

The zip TLD is genuinely one of the dumbest decisions Google has ever made. Hey, let's add exe as a TLD as well, while we're at it.

My biggest question is: Who the heck let Google be a TLD registrar???

You and I, maybe we can be on the lookout for this. How on earth am I going to explain this to the infinitely large swathes of non-tech-savvy people I know?! Bad move, Google. Very bad.

Sweet, please make a video once a google employee gets pwnd by this domain lol

The fact that the people at the head of this thought it's a good idea to create a .zip domain possibly scares me. It's like they don't even care what happens to their loyal customers. Even as someone who doesn't interact with much outside of a couple friends, I'm worried about falling for one of these now. This opens up so many more attack opportunities that it's quickly becoming dangerous to even download anything that normally sends you to a blank page that auto downloads the file.

When .rar and .7z TLDs exist, we will know that this act was malicious the whole time.

Who could have seen this coming! That anyone thought that having a gtld be an archive file extension was a good idea is beyond me.

It was irresponsible to allow the TLD in the first place

I'm a reasonably tech-savvy, non-expert user and having heard your arguments, I am now convinced that this was a bad idea and should be undone.

don’t know about you guys but i can’t wait to click on all the .zips i see

It's a thing I would fall for if I didn't follow all the drama... How the hell will I explain this to my parents?

Thanks for pointing that out. I've added the .zip TLD to my pi hole's regex blacklist, such as many other suspicious TLDs too.

Google been comfortable collecting checks from black hats for years. Wouldnt suprise me if they put these features out specifically for thwm to drum up new rev streams. Orgs should block zip and mov sites in their dns internally

Can't wait to be hyper paranoid when downloading any zip file from now on

My grandmother’s computer stands no chance now

Google is gonna paddle back and introduce a .rar domain instead!

It sounds to me like the Markettng department at Google managed to override all the sensible teams (Security, IT, Dev, and practically any other technical team). There is a reason that Marketing departments are often referred to as "the colouring-in team".

In my opinion, browsers should just refuse to resolve TLDs like this. I don't particularly care that it would be walling off anyone who purchases a .zip or similar domain, the only way to shut something like this down is to simply refuse to comply. Make the .zip TLD completely useless and the problem will solve itself. Unfortunately we all know that's never happening, seeing as the people who issued the TLD also make the most popular browser, but a clear "potentially malicious link" warning would at least be nice.

Why am I not surprised that Google continues to make literally everything they touch just a little bit worse?

2:50 userinfo in url's isn't a legacy feature. it is very often used as username@host for other protocols like e.g. ssh

Honestly, it's still insane that chrome automatically downloads files by default.

Who thought zip was a good idea for a TLD?

there is a workaround to make sure you dont fall for this, add the following to your adblocker of choice (which should be ublock origin) ||zip^$document ||mov^$document this will block visiting sites with .zip and .mov tlds, while still allowing recources to be fetched from them (like if google decides no use a .mov domain to serve yt videos) and allowing "zip" and "mov" everywhere else in the url. this should give you a nice warning to let you know youre making a mistake, but its not a fix for the underlying problem, and will only really help for already tech savvy users.

Your videos are the best. Seriously there's no better channel for cybernews. Thank you sincerely.

there should be a committee that looks at more things than just the transaction number. Like the potential ramifications of allowing the TLD to exist

I understand what you’re saying about web developers implementing safety features like not auto linking, but I see a bigger issue in that random web developers should not have to pick up the pieces after a terrible decision by google. Firstly because it’s not their responsibility (it is google’s, for making a decision that will so obviously go wrong), but also because the average web developer can’t reasonably be expected to know this is happening. That’s not even mentioning the amount of programs that are actively used but don’t receive updates.

The shitstorm once it'll be made public that the first google employee fell for this is gonna be gold. Worst idea ever Google. Also, I'm still mad u cancelled Wave.

When programmers have to add a _exclusion_ for .zip domains, you already fucked up. That is a SQL-Injection sized issue - because now programmers have to be aware and invest extra effort just to not cause a issue.

I'm not gonna try to defend myself. I work in IT and I think I would fall for it as well

Well there goes my Monday, Blocking all TLDs that resemble file names >.< - I await to see a .rar, .7z, .zip or god forbid tax_invoice.xlsx

So to remind everyone about links: *_DO NOT CLICK RANDOM LINKS_* Even if it comes from a "credible" source. check, double check, recheck and check again for good measure.

The @ before domain is still widely used in ssh. It is used to specify which username you want to use on the ssh server.

Hehehe, I just bought one because they are surprisingly cheap. Using it for a personal landing page and some self hosted services because it's nice and short.

just because an issue was marked wontfix years ago doesn't mean they can't change their mind if the user credentials in URL trick ever becomes a common attack. auto-hyperlinking domains is the only real concern here, and it can be fixed easily by web developers

Google really going for the big brain manouvers. 🤔

Appreciate the nod @Seytonic! :) Hope to have helped with at least some of the blast radius...

Firefox actually asks to confirm when navigating userinfo URLs, so it is less likely to work on it as on Chrome

Not often i find something I would actually fall for. Thanks for bringing it to my attention

This was definitely a decision made my a non technical manager type who is refusing to back down now

Lol, time to super-harden my home network due to my elderly parents being on it. This will be a nightmare

Read about this example last night, and I think your animated version does a great job of making it more understandable! Yeah, potential mess! Thanks! 😎✌️

This is seriously a bad idea, they could have chosen anything else but this

Wow. I never saw this coming.... Google with their ever increasing stupidity, but as long as they can make some money out of it eh?

Too many projects not maintained to receive updates that would prevent auto highlight of .zip domains. Though maybe they wouldn’t recognize them anyways. Either way I think it’s too confusing for the end users that are unlikely to learn about it. Adds a tool for phishers and seems low value for the TLD domain space

These "new TLDs" have been available to Google since 2014, just now made public.

I believe that we should only have TLDs for each internet governance authority, since that's what they're for - to designate where to send domain resolution requests to.

This is all going to get worse with Google having complete control over the web now....

Blocked the whole TLD after seeing that medium article example. That's just too sneaky.

This just seems like a gift to hackers. Not sure what the legitimate use case is. Also it's ridiculous the number of TLDs being created just in general. I guess it's close to 100% profit for the registrars and that's the motivation behind it.

there must have been AT LEAST one person in the Google team that knew the repercussions and stayed quiet. no?

Set your browser to ask before downloading and you will save your self from those websites that redirect you to an automatic download.

Thanks for letting us know! You're the best! 👍

The "backup" one serves a random backup-related quote.

Liked and sub, Amazing video! Pd: Google's motto "Don't be evil" now looks more like just another corporate cliche.

we won't believe the amount of normal company employees falling for this

Firefox actually does some work in this regard. As you mentioned, everything before the @ sign is considered a username (and password if there's a : as well), so when you click on such a malicious link, but the landing page doesn't accept logins, Firefox displays a message saying if you're sure you want to proceed because you're about to land on a page that didn't request a login, but the link provided one. Not completely fool proof, but it's a step in the right direction.

Noting your browser section, Firefox has had a feature to combat this *sort of* for a little bit at least. When you try to connect to a page with a username that doesn't take a login, it will immediately prompt you before navigating.

Welp, now I just have all the more reason to double-check every link I see lol

The scary/infuriating thing about this is that I would 100% fall for this if there were no other obvious red flags of a phishing scam. Those links are very convincing. Sure I wouldn't be dumb enough to open a zip file from a random email (be it an actual .zip or an obfuscated URL), but if it is socially engineered in the right way that gives me little reason to question the authenticity, then sure I could see myself falling for this 👀

Googles big brain move here is capitalizing on White hats who will buy up .zip domains xD

This is a really bad idea. What legitimate domains would use this? A zipper company or maybe compression software like 7zip? The negatives far outweigh the positives. Waiting on the .exe/.dmg domains next.

I've always been a little skeptical of .zip ever since Google announced it. Guess my skepticism was well placed!

I see the bigger issue in Chromium allowing fake slashes in user credentials / allowing user credentials there at all. I'd like to see them removed, and the issue is done.

Google doing such a seemingly dumb action implies to me that there's something going on behind the scenes that extends to beyond network security that had influenced its existance

I wouldn't even be surprised if google knew exactly what they were doing. It's all about the $$$

I feel like this on the Google ads thing it seems like Google wants people to get hacked

Buying a .zip asap

If you are phishing someone through gmail with the zip tld then wait until you hear about link display texts. You can already do these download urls scams with any domain. Just checked discord and looks like the part before the @ gets removed in your message. Telegram also has link display texts. But sure, if I see it on a website, I'd probably fall for it

I have experience reporting bugs to chromium. They refuse to care if it's not something super critical. :D

this is why I have zip and mov blocked at a domain level in my firewall it will just get sent to a blackhole on my network.

I've been using URLs with @ for SSH logins and git clones for some time now, yet I absolutely would've fallen for this one on any font that doesn't give away the slashes... Can we go back to when my online safety wasn't dependent on font choice please

o god another thing I need to try and explain to my parents - also PCBway even got to you lol

Thanks for the video, will block tomorrow every .zip domain for dna resolution in the firm.

Im using NextDNS, and I block new registered Domains and the whole .ZIP Domain by default.

Lesson learned, hover your cursor above a zip download link to check the domain.

I guess blocking out the .zip TLD via some DNS resolver could be a solution, for now.

Why on earth did they choose .zip? Is there a logical reason?

Okay i seriously wondering which Engineer or cyber security specialist thought making file name domains was a smart idea. Honestly this just sounds like some marketing people convincing executives that they could earn a lot of money and not listening to engineers

Why big companies love these days to 'unsecure' the masses ? Lately Discord and Ledger and now Google. What they're up to ???

How does a multi-billion dollar tech company not see anything wrong with providing a .ZIP-TLD. i think even my dad could tell me why that is a bad idea and he hasn't even used a computer since a few years now

I think web browsers should just blacklist such websites and not treat them as hyperlinks, if someone wants to manually type it in their address bar fine, if not then it shouldn't be rendered as a hyperlink, you can probably make a chrome extension that does this for people

cheers for sharing this. Another potential exploit to look out for.

Because Google wants more money. Not a bit more but globally much more money. More types of TLD means a company owner needs to register more domain names to protect against domain name abuse.

Upcoming TLDs include: .exe, .docx, .pdf, .mp3 and .png!

word on the grapevine is this is straight-up deliberate. zip and mov files are often used in piracy, and this is a sledgehammer blow to reduce confidence in those formats

I’m honestly wondering if this was made for cybercriminals. Like, this product is targeted towards them or something. Even though this is a stupid thought, I literally cannot fathom for what other reason they did this.

For some things I am convinced we should have just stuck to ASCII, and URLs are such a thing. The amount of damage done by it is not worth this, having to type a few more characters is obviously better. (Or at least no Unicode symbols, just the letter class... Anything else seems just quite absurd to me)

Well at least no one will be falling for Homework. That cost me quite a bit!

While Google mentions that they have mechanisms to suspend or remove malicious domains across all TLDs, including .zip, they do not provide specific details about the countermeasures designed specifically for this TLD. I can't simply allow a company so powerful to hand-wave this without explaining how, in detail, they have control over the situations. This is a lack of transparency of which all consumers of the internet need to be wary of.

It would be nice for DNS service providers other then Google to redirect access for the users which trying to resolve .zip .Mov etc domains with the stab that show user it trying to access something shady.

Most of this seems more like other security failures that are being exposed now

Cant wait to fall for this because im tired and need to get one of my million projects finished quick

I would like to know more about the person who designed a unicode character to look almost like a slash. Genius.

0:20 that’s not irony, it’s coincidence. Irony would be the URL actually got longer.

never knew about this thank you very much for spreading the word

honestly i think the best thing to do is either have browsers no longer support that legacy feature you mentioned or have browsers show a warning edit: firefox already does this lol

it seems insane, almost like they want to cause trouble with it

I posted this on Facebook to let my friends know. So Google is expecting developers to fix a problem they started

Thanks, Google, for your continuous work to make the web a horrible place to be.