Google released a .zip web domain and people can't decide if it's the phishing apocalypse or just as bad as any other dodgy link
Google is offering a new .zip web domain(opens in new tab) for users who want people to know they're «fast, efficient, and ready to move.» It sounds mostly okay on paper, but due to the similarities between this domain and a popular zipped file format, there are concerns that this could become one of the easiest ways to dupe web-goers into downloading dodgy files.
You can see why there have been concerns about the new .zip top level domain (TLD). Say you're looking to download the CPU-Z software, you'd expect to land on the CPUID website at the URL: www.cpuid.com/downloads/cpu-z/cpu-z.2.05-en.zip.
What Google's new .zip TLD will allow for are links that look very similar but are incredibly dangerous dupes. For example, and this link goes nowhere but there's still no need to try it: www.cpuid.com/downloads/cpu-z∕@cpu-z.2.05-en.zip.
Most web-savvy users would probably notice the rogue @ in there and think twice before clicking on that URL, but you might not notice the Unicode character U+2215, which tries to masquerade as a forward slash. Cheeky.
As security researcher bobbyr points out in their Medium blog post(opens in new tab), most modern browsers will disregard the information before the @ and only listen to the hostname following it. That means if you were to put in https://google.com@bing.com, most browsers would direct you to bing.com. If you were to add forward slashes into the URL before the @, you'd actually see the reverse happen: https://google.com/search@bing.com will take you to Google.
That's where unicode characters U+2215 and U+2044 come in. These look a lot like forward slashes, but they're not. And they're supported in hostnames. That means you could create a fake URL that appears pretty genuine and
Read more on pcgamer.com
