Source: www.schneier.com – Author: Bruce Schneier
Comments
Hauke •
I may be dating myself here, but I don’t remember a security issue with .com file types and domains.
The difference today, I would hazard a guess, is that the .com executable file isn’t common.
Cheers!
Chris •
@Hauke: there are issues with .com domains, but they are the other way around, in the form of people distributing malware that looks innocuous because it’s an executable called fun-website.com that people are tricked into running.
adao •
Mistaking a URL for a filename could be a security vulnerability.
This is not so much users mistaking it, but software. There’s a lot of software that makes mistakes by trying to be “helpful”. Like when we see a numbered list that goes 6, 7, (face with sunglasses), 9; or a reference to the ‘70s instead of the ’70s. Sometimes the behavior isn’t immediately visible. For example, if I highlight something Firefox thinks is a domain, like Chris’s reference to a “fun website” executable, the right-click menu will have several “open link” options—even though it’s not a link (I checked the HTML to verify). If even browser developers are so sloppy with the term “link”, can we be surprised if others don’t understand what they are and how they work?
It’s not much trouble to have to write brackets (for example) around a domain or URL to make it into a link. And I guess most people render HTML e-mails by default now, given that many mailers have stopped attaching a plaintext version. So, really, why should any software be trying to guess about what might be a domain name or filename? If it was meant to be a link, it would’ve been.
These domains have been around since 2014. The only thing that’s new is that Google has made it easier to register in them.
But we should put the blame where it belongs, on Microsoft Windows which invented the terrible idea of recognizing executable files by their names, rather than by their contents as every sensible system does.
PattiM •
I’ve been around since before MS – it’s amazing to me that they’ve maintained the art of quite bad security for so many decades – while making people think they’re a good idea (as in, good at what they’re doing/selling).
David Leppik •
MS Windows inherited that from MS-DOS, which inherited it from CP/M, which inherited it from mainframes. At which point you’re talking about what makes sense for a punchcard-based system, where the tradeoffs are totally different from a global, internet-connected world.
Classic MacOS had a metadata fork for every file built into the filesystem. Problem is, that causes problems when you transfer files to and from non-metadata filesystems. They abandoned it when they replaced Classic with OpenSTEP.
Jim •
Like often, its kinda blown out of proportion. As well as the whole “Windows identifies executables by extension” which people cry so much about. No that itself is not the issue, the issue is people want comfort. And you can only take so much of that away, until they stop using your product.
There is reasons linux is still a niche product on desktops. It lacks comfort.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2023/05/security-risks-of-new-zip-and-mov-domains.html
Category & Tags: Uncategorized,cybersecurity,Google,phishing,vulnerabilities – Uncategorized,cybersecurity,Google,phishing,vulnerabilities
