Disable User
Posts
Why the new .zip domains might be a problem

Why the new .zip domains might be a problem

Disable User
May 18, 2023

Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.

In this week's edition:
🤷Why the new .zip domains might be a problem
🔐Cryptography part 3: Digital certificates and Certificate Authorities
❓ Disable User explains: Top Level Domain
🔥 the quick and dirty

Reading time: 03:46

Why the new .zip domains might be a problem

So, another stormy week in the land of security.

Fear not, no zero-days..

yet.

But hey, what happened?

At the start of May, Google announced they were adding 8 new Top Level Domains: .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus.

Launch details for eight new TLDs

Eight new domains will be launching in May: .foo, .zip, .mov, .nexus, .dad, .phd, .prof, and .esq

At first glance, no big deal. But here’s the trouble:

.zip and .mov are file extensions.
And not just the least, they are very common, especially .zip.

That started some drama in the security community, falling into two camps;

The doomsday preppers
The people who think it’s not as bad as it looks

As you know, I loooooooove me some drama.

So I stirred up some conversations on both LinkedIn and Twitter, with opposite takes to what the original poster was saying.

This often leads to the best responses. People love to prove others wrong.

Sorry, I strayed.

Anyway

This lead me to these two articles, with opposing views.

My boy, Berryrsec, explaining how .zip’s can be used for phishing.

The Dangers of Google’s .zip TLD

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

And in the other corner, my boy Thomas Claburn saying Berryrsec should take a chill-pill.

Google's .zip and .mov domains aren't the end of the world

Did we forget about .pl, .sh and oh yeah, .com ?

While he does make a fair point, you can't really compare .zip - a file extensions used by everyone and their moms, to .pl - a file extension for Pearl.

Who the f even knows what Pearl does?

Disable User Conclusion: love the drama, hate the fact that I will have to re-work the internal user awareness.
I’ll take Berryr’s side on this one, because he atleast thinks about our most common and fragile resource: the end user.

Cryptography part 3: Digital Certificates and Certificate Authorities

It’s that time of the week again.
For part 3 in our Cryptography story, get ready to learn about digital certificates and certificate authorities.

Digital Certificates: Online ID Cards

Even if you’re not sure what a certificate is, you’re using atleast 1 right now (possibly more).
You can find them in:

Web Security - Certificates are used for HTTPS traffic.
Email Encryption - To verify who sent it, and to verify it’s not been modified.
Software Signing - To help users verify that the software they download is from a trusted source and hasn't been tampered with.
Virtual Private Networks - for authentication purposes.
Secure File Transfer - Protocols like FTPS and SFTP use digital certificates to ensure the secure transmission of files.
Device Authentication - Devices that don’t use traditional username/password authentication, rely on certificates to prove their ‘identity’.

And lot’s, lot’s more..

Digital certificates are like the internet's version of an ID card.

But who hands them out?

Familiar with DigiCert, GlobalSign, or Let's Encrypt?
These are examples of Certificate Authority’s.

CA’s are big names in the world of Internet. They are trusted by all, and act as the big bouncers you see in nightclubs.

They check every ID (certificate) and keeps a list with relevant information:

Owner's name
Public key
The validity period

Once this check out, they’ll allow you in and vouch for you. CA’s do this by signing your certificate.
Once it is signed, the rest of the internet knows you are to be trusted.

If a certificate is no longer valid, it will move to the CA’s ‘Certificate Revoke List’ and no longer be ‘allowed in’.

Of course the CA’s are monitored heavily, because they are the ones who control a lot of the internet’s security protocols regarding certificates.

In 2017, Symantec had a major issue with their CA partner - Trustico - who claimed their certificate private keys had leaked. Making the certificates worthless.
This lead to one of the biggest CA’s, DigiCert, revoking 23.000 certificates.

23,000 Users Lose SSL Certificates in Trustico-DigiCert Spat

Over 23,000 users will have their SSL certificates revoked by tomorrow morning, March 1, in an incident between two companies —Trustico and DigiCert— that is likely to have a huge impact on the CA (Certificate Authority) industry as a whole in the coming months.

Top Level Domain

The last segment of a domain name, located after the final dot, such as '.com', '.org', or '.net'.
It is part of the internet's hierarchical Domain Name System (DNS) and helps to categorize and structure websites across the internet.

Or, in the case of .zip and .mov, make our lives unnecessarily harder.

The quick and dirty

Apple blocked 1.7 million apps for privacy, security issues in 2022 - good on you Apple, keeping us safe and all
Telly, the ‘free’ smart TV with ads, has privacy policy red flags - if you’re not paying for the product, you are the product.
Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts - Ransomware with an affiliate program. What’s next, ransomware influencers?
Meme of the week