![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://programming.dev/pictrs/image/8140dda6-9512-4297-ac17-d303638c90a6.png)
5·
8 months agoWhile I agree that first party systems suck, as someone with neither an iOS or Android device I personally prefer something work rather than a screen that says “connect iOS/Android”.
While I agree that first party systems suck, as someone with neither an iOS or Android device I personally prefer something work rather than a screen that says “connect iOS/Android”.
I hate that Google is exerting even more control on the internet with their TLD, but I don’t really think this attack is made all that much worse with .zip TLD. I can already bury a
.com
in a long URL and end it in .zip just fine like so:https://github.com∕foo∕bar∕baz@example.com/foo/bar/baz.zip
Or even use a subdomain to remove the @:
https://github.com∕foo∕bar∕baz.example.com/foo/bar/baz.zip
The truth is most people don’t look much at URLs outside of a domain to verify its authenticity, at which point the
.zip
TLD does not do much more harm than existing domains do.For mitigation, Firefox already doesn’t display the username portion of the URL on hover of a link and URL-encodes it if copy-pasted into the url bar. It also displays the punycode representation when hovering or navigating to the second example.