Using firefox tells a confirmation box if you want to browse the specific link after the '@' characters, while edge directly go to the link. Thumbs up firfox
@@Finalizorut my office dont want to and keep Google Chrome. And with manifest v3 rolling out soon, not gonna be surprised if we get hacked or rnsmwred.
its likely more someone with money but no brain getting to much to say at google. internet companys shouldnt be on sthe stock market and this is another piece of evidence.
I wonder in what kind scenario? I honestly don't really see myself falling for it, the username:password URL thing yes but whatever goes after that would be harmless to me, unless it's some super SE e.g. Patreon or Discord Mod/Admin's of some plugin/tool or modded game gets hacked and someone edits one of the links with own attached malware, but it doesn't mean that someone couldn't simply replace the file with their own so the .zip domain maybe adds some risks but not really that much, it's just +1 way of hacking someone of a hundreds of ways.
@Exaco Oh yeah, a classic "computer expert" saying more security hazards for "average people" is not a big deal, as if computers are only used by "experts". A friendly reminder is that even such tools that are used by nobody else than astronauts level experts, such as spacecraft themselves, are designed super carefully to minimize potential hazards. Imagine a single astronaut saying "eh I'm an expert so poor UI is not a big deal, make the numbers more confusing and I can deal with them" and you'll be like "wow what an expert he is" right?
I literally had to explain the different between home wifi and mobile data to a family member its going to be hard to explain .zip and the dangers. I feel like this was a google employee joke that went so far to become true.
That is far more common than you might think. If you say "data" to many people, they equate that to cell data usage; it's either "wifi" or "data" if they even understand that.
And people saying "wi-fi" when they mean internet is already common. Wi-fi is wireless connection irregardless of an internet connection. You can have wi-fi and no internet.
Zip is a file extension so why confuse things by making it a domain. With companies out there making dumb decisions staying safe has got so much harder.
@@thedrunkenrebel I fully agree, that some words should never be used for more than one purpose. We are being forced to use programs and trust them to keep us safe because companies make bad choices. the average user may not be aware they have holes in the network and those that do will forever be fixing them because of companies like Microsoft.
it mostly comes down to there are only so many 3 character combinations, and the decision to have the majority of TLDs be 3 letters (easier to remember, easier to identify, less likely to be confused or misrepresented), but still be meaningful at least in English. then almost anyone with enough funding and infrastructure can register a TLD. what probably happened here was Marketing handed down a list they came up with, and either it was given to a few of the thousand some people that were pre-poached as something to do. Or a fully versed team tried to give push back, but was told it was a required directive, and they HAD to complete.
I went on the site to see what their justification for creating this domain is and it's literally just "zip domains let your customers know you're fast paced and a real cool guy" unbelievable
It's funny how Google with all it's technically skilled engineers and programmers can somehow reach the conclusion that a dot zip domain is somehow a great idea.
@@ember9361 yeah lol this decision REEKS of high level executives trying to make some extra money wherever they can while ignoring engineers, immigrant or otherwise. being racist doesn't solve any of these problems it's just pointing fingers at a group that isn't responsible and excusing the people who actually are.
I've been suffering Google's ""mistakes"" lately: - Only can debloat Android TV from outside the system. - Can't disable Bluetooth discovery on some Android TVs. - Chromcast built in "guest mode" enabled by default and can only be disabled by Google Home app, or disabling the chromecast app entirely. And so on... That's why rooting devices and having advanced options for the ones who know what they are doing is mandatory to avoid headaches from this multi billon corporations that see you only as a product, so they don't care the problems they produce in your day to day life...
not to mention no banking apps for custom ROMs without stupid cat and mouse workarounds that may randomly stop working and rely on deprecated access modes. Android peaked in 2014.
@@TehDanny I got a Chromecast recently with RU-vid TV (I'm not sure if it's the same thing UI-wise). Bloat is a nuisance more than anything else. I'm not saying it's good, but it's not, AFAIK, some major security issue. The most aggravating thing about it is the lack of buttons on the remote virtually forcing you to use voice recognition to do anything. It's hard to blame Google for Android failings when Android is often modified by the OEMs. Samsung's Android is quite different from Google's.
@@encycl07pedia- Ah, so I'm not necessarily getting bloat issues with my Philips android tv, it's just that some companies adds all of their apps, makes sense.
Please don't forget that Google also released the .mov TLD (Top-Level-Domain) which can be ALSO seen as a file extension, in this case .mov witch is a MPEG-4 Apple Quick Time file format!
In a couple of months google will announce that Chrome will block zip domains by default to protect users. They’ll spin it that they are the only company that cares about this issue and if you want protection you must use Chrome.
Cheers mate, I'm a senior infosec resource for a 150,000 person business and I've used your video as our internal assessment. I've always liked your approach to content on InfoSec topics.
Haven't you seen the google graveyard? Google is a failure, they got the low hanging fruit of search engine monopoly at a time with almost non existent alternatives and dominated through that same search engine. If Google were to start nowadays, nobody would know them.
One word sums up their self-destruction...greed! When profits are more important than the product or the workers, it is a sure sign of eventual collapse! The pursuit of constant growth is unsustainable!
Sometimes I feel that big companies like Google make such mistakes deliberately to sell you some extra useless feature claiming they’re protecting you.
I noticed that Firefox would show a prompt saying your logging into a site, and with the true domain. This would probably stop most phishing attacks if it was implemented in other browsers.
Google Chrome should implement -the same- a similar warning as firefox did, -when the domain you'd actually end up at doesn't require authentication in the url.-
@@tpkowastaken seems chrome removed support for that auth method in url years ago, and it just strips them out prior to navigating So looks like that warning would have to be something else.
@@MasicoreLord no, it's worse, the behavior in Chrome hasn't changed, it's the same behavior IE removed over 15 years ago. I just tested, give it a domain with username and password and it will visit the website and authenticate with username and passport and as every browser has done: does not show anything about that in the URL, just the domain/website
I caught the @ right away. It reminded me of a link an acquaintance sent me years ago with a username and password built in. But yeah, the vast majority of people I know wouldn't think anything of it. If I didn't have that previous experience, I might not either.
There should be a feature where when you hover over a link, it highlights any particularly suspicious characters such as the at symbol or suspicious Unicode characters or lookalike characters in red, to alert the user that it's likely a dangerous link.
The biggest issue is autolinking though. So if you send someone an attachment, and mention the name of the zip file in the email, and the receiver clicks that link instead of the actual attachment, they'll be directed to that site which may or may not be malicious.
yeah, I see how this feature can be used without the .zip bit. having a legit looking url with @example .[any available domain] is still a really good way to trick someone. Unless you're aware about the @ exploit you wont have a clue. Since firefox already has a warning for it someone probably tried something like that already.
Another thing I would like to point out is that there are also malicious "mov" domain names as well that google let you register So watch out for those as well cheers
This is not a mistake. Google knows that scammers and malicious actors will pay for these domains, thus making them more money. It's always about money.
@@memyshelfandeye318 no, when a company buys a TLD they buy the rights to sell domain names with that TLD ending. so this means Google bought rights to sell domain names that end in '.zip'.
@@humilulo also, the premium domains add an approximate minimum of 1million. Google makes a million in seconds.. so the real culprit here is probably to break the internet, and rush in digital ID for their WEF and govt agency masters.
Yeah, I have always been very good at spotting suspicious urls but this may very well trip me up in future given that I pull from github and other codebases a lot! Google should just park this domain extension never to be used by anyone
NextDNS is actually free for the first 300,000 queries/month (When exceeding the free monthly quota, NextDNS will continue to answer DNS queries like a classic non-blocking DNS service)
I definitely think you're right about this one. Even those of us on Linux could potentially have a problem with it. The only solution I offer is to manually type in the domain name of whatever website you want to visit and once you've navigated somewhere within that site bookmark it and only ever use the bookmark going forward.
@@Sonario648 You wouldn't need to know the exact URL, just the domain name. As I said, navigate from there to where you need to be on a given site and bookmark that.
I am really surprised nobody at google could convince Google not to do this. That they would think this was an acceptable thing to do is just really bad for security.
About the people saying it's no big deal because coming up with lookalike domains can already be done: that does not mean we should be giving bad actors an extra tool!
Google is paid directly by scammers.... why do we see bad ads, spam ,and other shady **** on google's platforms? That's why..... And that's why I block ads due to this... Google ain't going to give up that Scammer money especially after they lost all that ad revenue in the ADpocalipse.... and other incedents afterward... Also hour or multi-hour long ads... that's just a joke... If I wanted to watch a Infomercial.... I'd stay up late at night to see em... Sorry... Rant.
They already don't do anything about scammers buying Google Search ads for popular software like OBS, so at this point I'd be legitimately surprised if they weren't actively trying to help them.
Been saying for over 25 years as an ICT prof. That hiding file extensions as a default was incredibly stupid. Making the end users dumber thanks to m$, apple and google...... practically criminal To be clear though: 99.999% of all companies block zip in mail anyways. And some people will click anything really....
No I'm thankful that you take the time to make these videos for us. I believe if your worried about security you have to be aware of the smallest details. Thank you and be safe .
This does seem like a bad idea, but what you didn't cover is why Google thinks it's a good idea in the first place. One would think they would have considered the downside to having this but the advantages outweigh the disadvantages. Could you make an update to your post that looks at this?
All this time .. _years_ lol .. I thought facebookmail *_WAS_* a spam/phishing domain. The more you know! 🌠 Thanks Thio! Also .. yes .. this new TLD is ridiculously dumb and dangerous.
What shocks me about this is that it's so obviously stupid, even to laymen, and yet this giant company with tons of expertise decides they're going to do it. Why? What value could this possibly serve?
probly the icann root servers and operations cost a lot, but its somewhat better to have that publicly funded than evil corp funding it, to keep links working and site data save., but owners of top level suffixes host own servers, to know if that is the real one, icann only needs to host the top, and that is probly not a lot of data, but that is the tlds, maybe ips are a lot more work to keep uptodata
Quad9 is one of the best, if not the best, free security DNS providers. Reviews and tests have shown they have the most comprehensive malware and phishing blocking available.
Yes, they have the best malware and phishing filtering and they're also Swiss-based non-profit. They have servers worldwide in more than 200 locations in 90 nations.
2:26, Simple browser fix, just don't treat anything with a protocol at the start as an email address, doesn't matter how many email addresses that break, they'll just have to get special exceptions made for them, or they just stay broken, either way the browser needs some sort of protection against the hack even if it means inconvenience for an unlucky few
@@cameron7374 That's still an email address in short form. Either way the URIs in question are neither and are supposed to be just normal URLs hence the need for the browser to have more robust checks anyways. I'll admit if I was still naive enough to think that there's no way a simple URL could be made to be interpreted differently by the vs the browser, I would probably have done just simple checks too, now a looped string compare instead of character compare is needed to protect against such attacks
I agree! I knew one was fake when i saw the @ sign, but i thought it was the other way around. I didnt think of what you said. I use the feature all the time when i use my ftp servers.
@Dennis Smiley, ftp is deprecated these days because it is not a secure protocol. That password is sent in clear text which can be captured by a bad actor. SSH is the replacement secure protocol.
2:34 what is maybe worse: IE blocked this behavior for almost some 15 years, but that browser is now gone. So the one browser that would protect you from this is gone.
Be careful what you click on. One time about 10 years ago, I got an email that had nothing in it. Just out of curiosity, I copied the domain name and pasted it in my browser. It only too about 2 seconds to get a BSOD. My Windows installation was corrupted and I needed to recover from a backup. A couple days later, many of my accounts were taken over (I assume it stole my saved passwords from Firefox, which I don't do anymore because of this). All I did was enter that domain into Firefox and I clicked Enter. That's all it took to crash my system and steal my passwords. Don't go looking in dark places.
That seems like a security flaw in Firefox. A website shouldn't have that much power. Although it might have been through flash, which had security flaws. Flash was a thing 10 years ago.
How do we change the font in the Chrome and Edge address bars (omnibars)? It appears to be stuck at the ambiguous insecure Segoe UI, where upper case i looks like lower case L. I tried to change it to a secure font, Tahoma or Verdana, but the change does affect the address bar. The setting is in Settings/Appearance/Custom Fonts, but it doesn't affect the address bar fonts. Fixing the font there would not solve the @ problem, but in Verdana the different foward slashes are distinct looking too.
Easy solution - don't use Chrome or Edge. Use a browser that actually cares about your security. There is no reason why anybody should ever recommend Chrome to anybody else.
Another example across many industries of people with insufficient skills and knowledge, having the privilege to make decisions. A fact of modern times
I use uMatrix with everything blocked by default except images, so random-ass websites don't run scripts without my knowledge. Even if I end up on some shady site, it will be obvious and is unlikely to do any harm.
Many times, the URL is so large that you can't even see it fully in the bottom bar. We may just check the first few letters to somewhat verify the target. Gosh, such a security nightmare this is.
I feel like the fact that TikTok and RU-vid use the @ symbol in their urls just makes this worse. I would be pretty wary of clicking on that link because of the @ symbol but now it’s becoming less of a red flag.
Let me know if I am wrong a zip file needs to be extracted, so if you see this and the file does not have to be extracted this should set the alarm bells going off. The only reason I can come up with is they are trying to make all zip files suspicious.
Google is just following Microsoft's time honored tradition of putting out really stupid and risky "features" and then slapping a Band Aid on it later, rather than admitting that they screwed up and simply removing said feature. Like the preview panel in Outlook Express that would execute any email attachment. Or the autorun/autoplay system that will execute whatever instructions it finds on a disc or USB drive. Or ActiveX that allowed websites to execute programs in your web browser. Or...
But isn't this better than the alternative, Thio? Google could will be held accountable if they sell .zip to malicious personnels. If this Top Level Domain was launched by any other lesser known company (the alternative), they couldn't be held as accountable, right? Sorry if I'm being ignorant.
Google will sell domains like any other TLD owner - there's no other reason to own it apart from control. AFAIK no other TLD owner has ever been held responsible for registration of domains by "malicious personnels".
God damn it. This needs to be removed very quickly. We need to get hundreds of thousands of people to complain to Google about this idiocy. It is already a hassle to confirm links or train up business users to not be scammed. This will make this much harder.