Exactly this, the .zip file extension is widely known, and now that it’s also a TLD, it can be confusing for some people. There’s no technical vulnerability, but the existence of .zip TLD just gives more ammo for phishing. For example, someone could register a domain name recent-bank-statements[.]zip (without brackets) and then have a subdomain for chase.com and send someone a link to https://chase.com.recent-bank-statements/[.]zip to “Download your bank statements”. If you’re not looking closely, you might not realize there is a . instead of a / and think that this link would go to chase.com When the site initiates a download of a zip file, you might trust the contents thinking it came from Chase and not a malicious link.
tisktisk@piefed.social 2 days ago
Excellent explanation. So with this knowledge, should .zip sublemmy/communities be avoided as well or is this excessive for some reason?
Demigodrick@lemmy.zip 2 days ago
Just to clear up, you aren’t interacting with lemmy.zip communities directly from your instance. You never directly interface with lemmy.zip, instead the servers send copies of posts and comments between eachother.
There is no risk from lemmy.zip (obviously) - its a lemmy instance that’s been around over 2 years and is perfectly legitimate. There’s just as much risk from every other tld where people intentionally misspell company names or try to insert similar looking characters. Practice basic Internet security (i.e. dont click on links you aren’t expecting) and you’re pretty much covered.
tisktisk@piefed.social 2 days ago
Holy God I didn't expect the admin of lemmy.zip to chime in.😊 I'm very appreciative of your work, please don't see this as FUD or shade-throwing. I'm just trying to understand and improve my general security practices as best I can.
Demigodrick@lemmy.zip 2 days ago
Sorry but your posts are FUD. You’re trying to equate people misusing tlds (which happens across many other tlds) as somehow lemmy.zip is “bad” instance that should be avoided.
Not only is that not true, you are also purposely misunderstanding how federation works as if youre somehow safer not interacting with lemmy.zip. Again, not remotely true.
If you want to block .zip TLDs you go for it, no one is stopping you, but you may as well block .com TLDs while you’re at it as that’s where most scams take place.
bamboo@lemmy.blahaj.zone 2 days ago
it’s excessive