● What the HELL is Google Thinking?

Sun May 21, 2023 12:37 pm
Clan Leader
Top Dog
Nuke Dev / Coder
3040 Posts
coRpSE
Currently Offline
Offline

Most Played:
This week: 11.0hrs.
Total Played: 2,720hrs.


  
Must be married.
Reputation: 7377
votes: 7
Expand


Okay, I saw this headline a few days ago but, didn't pay much attention to it for I was busy doing other things. I finally learned more this late on Friday night, Saturday Morning when I was watching the WAN show. Well, when it popped up as one of their talking points, I brought up the article from arstechnica.com and read through it and I have to agree with many of the security circles that are bringing up a valid security issue with this. I will not go into the in-depth issues, and I will just highlight what is going on and what to look out for, and if you like to know more, I will link several sites to read over.

Now, what is going on, what did Google do now?

This can be a bit confusing at first, but this comes down with a couple of TLDs that Google added to the internet a couple of weeks ago. A TLD, also known as a "Top Level Domain", is the same thing as a .com, .net, .org, .gov, and so on. Those are TLD's. Now, you may ask, what is so bad with adding more. There is nothing wrong unless those new TLDs are prominent in other areas, and since being well known in other areas, they could help manipulate/disguise links to send people to sites/locations that are harmful.

Well, the new TLDs Google has introduced is .zip and .mov. For anyone of you that have ever downloaded a file from our site, or other sites, there is a good chance that it was packed into a zip folder. If you look at the file path in the URL for one of these files, it usually ends with a .zip, like fakesite.com/file.zip. There are other compressions we use like .rar, which I like, and also 7z. The other new TLD that is causing concern is .mov, which is associated with Apples Quicktime format for their videos.

Googles marketers say that the goal is to designate .zip with "tying things together or moving really fast", and with .mov, "moving pictures and whatever moves you", but you have to be a freaking idiot to think this was a good idea. I can see this as being something that can be used to hurt people more than anything, and that marketing, well, that's just a fucking joke IMO and who ever thought that should be fired, IMO.

How and why is this a bad thing?

I am going to quote "DAN GOODIN" from arstechnica,

Many security practitioners are warning that these two TLDs will cause confusion when they’re displayed in emails, on social media, and elsewhere. The reason is that many sites and software automatically convert strings like "arstechnica.com" or "mastodon.social" into a URL that, when clicked, leads a user to the corresponding domain. The worry is that emails and social media posts that refer to a file such as setup.zip or vacation.mov will automatically turn them into clickable links—and that scammers will seize on the ambiguity.


I am going to show you what I mean just by using my site here, (headshotdomain.net), and Lonestars website, (lonestar-modules.com). Now, pretend that Lonestars site ends with a .zip rather than a .com.

If I give you a URL like:
Please login to see this link
Get registered or Log in


That will bring you to my 404 error page on our site, but what if I remove that / that is before the @ symbol.
Please login to see this link
Get registered or Log in


You will see that it will redirect you to Lonestars site. Now, what if someone bought the domain installer.zip, or evo-download.zip, and then gave you a URL like www,headshotdomain,net/@evodownload.zip, (I used a comma, so it wouldn't be an actual link.).

There are more things that can be done, like using Unicode characters to put something like U+2044 (⁄) and U+2215 (∕) which can be put in to look like a forwardslash, (/), but without altering the way the browser would interpret it, but you would need to read the provided articles at the end, especially the section that goes over the Chromium bug and how it can factor in with this.

What do I need to do to protect my self?

Well, it's simple. It's something that I have been doing for years without even thinking about it. Before I click a link or a button, I check where they hyperlink is going to take me. I use Google Chrome my self, so when I hover a link, I see in the lower left of my screen the actual path where I am going. I always look at that and I stay one reputable sites. If I think a site might be shady, I then use Windows Sandbox, then I open the link in that with Edge, so if there is anything shady on there, my PC and I are safe from any harm.

My personal thoughts.

Overall, I don't think these should have ever been approved by Internet Assigned Numbers Authority, the governing body that oversees the DNS Root, IP addressing, and other Internet protocol resources. I can see this being used to exploit auto-linkers and what not, like what is found all over on social media to CMS's. Like everything else, you just need to be mindful of what is out there and what you are doing to your self. This isn't an end-of-world thing, this is just a bone head thing that was done, and we have idiots that just like to make things easier for exploiters.

Ars Technica -
Please login to see this link
Get registered or Log in

Techspot -
Please login to see this link
Get registered or Log in

Wired -
Please login to see this link
Get registered or Log in

Please login to see this link
Get registered or Log in


Expand
Forums ©