Should .zip communities be avoided for this potential confusion or no?
unexposedhazard@discuss.tchncs.de 2 months ago
I dont think there are any valid technical insecurities. Its just a TLD like any other. The issue is just that people might get confused by it and that could be used for phishing stuff.
tisktisk@piefed.social 2 months ago
bamboo@lemmy.blahaj.zone 2 months ago
Exactly this, the
.zipfile extension is widely known, and now that it’s also a TLD, it can be confusing for some people. There’s no technical vulnerability, but the existence of.zipTLD just gives more ammo for phishing. For example, someone could register a domain namerecent-bank-statements[.]zip(without brackets) and then have a subdomain forchase.comand send someone a link tohttps://chase.com.recent-bank-statements/[.]zipto “Download your bank statements”. If you’re not looking closely, you might not realize there is a.instead of a/and think that this link would go to chase.com When the site initiates a download of a zip file, you might trust the contents thinking it came from Chase and not a malicious link.tisktisk@piefed.social 2 months ago
Excellent explanation. So with this knowledge, should .zip sublemmy/communities be avoided as well or is this excessive for some reason?
Demigodrick@lemmy.zip 2 months ago
Just to clear up, you aren’t interacting with lemmy.zip communities directly from your instance. You never directly interface with lemmy.zip, instead the servers send copies of posts and comments between eachother.
There is no risk from lemmy.zip (obviously) - its a lemmy instance that’s been around over 2 years and is perfectly legitimate. There’s just as much risk from every other tld where people intentionally misspell company names or try to insert similar looking characters. Practice basic Internet security (i.e. dont click on links you aren’t expecting) and you’re pretty much covered.
tisktisk@piefed.social 2 months ago
Holy God I didn't expect the admin of lemmy.zip to chime in.😊 I'm very appreciative of your work, please don't see this as FUD or shade-throwing. I'm just trying to understand and improve my general security practices as best I can.
bamboo@lemmy.blahaj.zone 2 months ago
it’s excessive