32
are domains containing 'zip' near the end a legitimate threat? (piefed.social)
submitted 3 days ago by tisktisk@piefed.social to c/nostupidquestions@lemmy.world
29 comments fedilink hide all child comments

I've heard a decent argument why it should be avoided, and I'm curious to know to what degree. I understand avoiding .zip links, but should I go as far as to avoid .zip communities too? Where does this thinking become genuine paranoia?

top 29 comments
sorted by: hot top controversial new old
[-] NaibofTabr@infosec.pub 45 points 3 days ago* (last edited 3 days ago)

The ".zip" TLD isn't itself a security risk, but it should never have been created in the first place due to the overlap with .zip files.

Understanding the context of why the .zip TLD is a bad idea, you should be questioning the general competence of a web admin that would intentionally purchase and operate a .zip website. There are plenty of other cheap TLDs available that do not overlap with common file extensions. It's such an obvious and avoidable problem that you have to wonder what other obvious problems they are failing to avoid.

[-] actionjbone@sh.itjust.works 16 points 3 days ago

I do not disagree, though I'm curious on your take of .COM since that has always had the same issue.

[-] NaibofTabr@infosec.pub 1 points 1 day ago

Basically, .COM files are not commonly used and definitely not commonly shared on the Internet. The overlap between use cases for .COM files and .com TLDs is almost nothing.

In contrast, .ZIP files are very commonly shared on the Internet as a convenient way to transfer a group of files all at once, and there are a few different techniques for using .ZIP files maliciously. There is a lot more potential for conflicts between .ZIP files and the .zip TLD on the Internet.

[-] Scrollone@feddit.it 6 points 3 days ago

The difference is they everybody knows about zip files, even my old mom. Not so much for com executables. That's why it can lead to phishing, etc.

[-] tisktisk@piefed.social 3 points 3 days ago

Well put. Your explanation has me most confident I should avoid lemmy.zip communities for the time being--thx

[-] jaybone@lemmy.zip 29 points 3 days ago

lol there is nothing wrong with Lemmy.zip. It’s a legit Lemmy instance and the communities are safe.

The concern is that someone might try to make a website / URL appear to be a zip file you can download and open. But Lemmy.zip is not doing that.

Also you are on a different Lemmy instance, so you never interact with Lemmy.zip directly. Instead, behind the scenes, your instance exchanges data with Lemmy.zip, and all other instances it is federated with, regardless of whether you personally subscribe to any .zip communities or not.

[-] tisktisk@piefed.social 4 points 3 days ago

If the concern is legit, wouldn't it be an ethical practice to not support services that use the problematic TLD?

[-] Rhynoplaz@lemmy.world 25 points 3 days ago

Not everything needs an ethical practice.

[-] BootLoop@sh.itjust.works 1 points 3 days ago

Lemmy communities are run by volunteers who are often footing the bill themselves to run. Without these people Lemmy would not exist. One/some of these people decided to save themselves a few bucks a month and get a .zip domain. There's nothing wrong with lemmy.zip

[-] aviationeast@lemmy.world 24 points 3 days ago

Waiting for Lemmy.exe

[-] captainlezbian@lemmy.world 11 points 3 days ago

That'll just install arch and delete windows

[-] fuckwit_mcbumcrumble@lemmy.dbzer0.com 6 points 3 days ago

What would lemmy.sh do? Install the latest screenfetch and post it online?

[-] Cevilia 5 points 3 days ago

lemmy.sh would order hormones and programmer socks.

[-] unexposedhazard@discuss.tchncs.de 24 points 3 days ago

I dont think there are any valid technical insecurities. Its just a TLD like any other. The issue is just that people might get confused by it and that could be used for phishing stuff.

[-] bamboo 26 points 3 days ago* (last edited 3 days ago)

Exactly this, the .zip file extension is widely known, and now that it's also a TLD, it can be confusing for some people. There's no technical vulnerability, but the existence of .zip TLD just gives more ammo for phishing. For example, someone could register a domain name recent-bank-statements[.]zip (without brackets) and then have a subdomain for chase.com and send someone a link to https://chase.com.recent-bank-statements/[.]zip to "Download your bank statements". If you're not looking closely, you might not realize there is a . instead of a / and think that this link would go to chase.com When the site initiates a download of a zip file, you might trust the contents thinking it came from Chase and not a malicious link.

[-] tisktisk@piefed.social 3 points 3 days ago

Excellent explanation. So with this knowledge, should .zip sublemmy/communities be avoided as well or is this excessive for some reason?

[-] Demigodrick@lemmy.zip 17 points 3 days ago

Just to clear up, you aren't interacting with lemmy.zip communities directly from your instance. You never directly interface with lemmy.zip, instead the servers send copies of posts and comments between eachother.

There is no risk from lemmy.zip (obviously) - its a lemmy instance that's been around over 2 years and is perfectly legitimate. There's just as much risk from every other tld where people intentionally misspell company names or try to insert similar looking characters. Practice basic Internet security (i.e. dont click on links you aren't expecting) and you're pretty much covered.

[-] tisktisk@piefed.social 2 points 3 days ago

Holy God I didn't expect the admin of lemmy.zip to chime in.😊 I'm very appreciative of your work, please don't see this as FUD or shade-throwing. I'm just trying to understand and improve my general security practices as best I can.

[-] Demigodrick@lemmy.zip 19 points 3 days ago

Sorry but your posts are FUD. You're trying to equate people misusing tlds (which happens across many other tlds) as somehow lemmy.zip is "bad" instance that should be avoided.

Not only is that not true, you are also purposely misunderstanding how federation works as if youre somehow safer not interacting with lemmy.zip. Again, not remotely true.

If you want to block .zip TLDs you go for it, no one is stopping you, but you may as well block .com TLDs while you're at it as that's where most scams take place.

[-] bamboo 10 points 3 days ago

it's excessive

[-] tisktisk@piefed.social 1 points 3 days ago

Should .zip communities be avoided for this potential confusion or no?

[-] missingno@fedia.io 12 points 3 days ago

There's an argument to be made that ICANN shouldn't have made .zip a valid TLD due to potential confusion. But that's ICANN's problem, and it's a bit too late to undo that mistake now. You don't need to worry that there's something wrong with a Fediverse instance using it. As long as you can tell the difference between a community and a zip file, nothing bad is going to happen.

[-] TriflingToad@sh.itjust.works 8 points 3 days ago* (last edited 3 days ago)

yeah id say so, tech literacy is bad as is. Adding to the scams is the last thing we need.

However it's like any other .com just with a more customizable name, like http://files.catbox.moe/ fits because the site is decorated with anime drawings (moe definition).
for a techy website .zip is fine, as long as they're not using it as an attempt to scam.

lemmy.zip is perfectly a-ok in my eyes

[-] SEND_BUTTPLUG_PICS@lemmy.zip 7 points 3 days ago

I fucking hope not because I belong to lemmy.zip!

[-] xavier666@lemmy.umucat.day 4 points 3 days ago

@SEND_BUTTPLUG_PICS@lemmy.zip should I zip them and send?

[-] artiman@piefed.social 6 points 3 days ago* (last edited 3 days ago)

No where did you hear that from?

[-] tisktisk@piefed.social 4 points 3 days ago* (last edited 3 days ago)
[-] tisktisk@piefed.social 1 points 3 days ago

The ending closed parenthesis is needed for this link but I can't fix it sry

[-] Ephera@lemmy.ml 1 points 3 days ago

This might fix it on some clients (but probably breaks it on others): https://en.wikipedia.org/wiki/.zip_(top-level_domain)

this post was submitted on 18 Aug 2025
32 points (100.0% liked)

No Stupid Questions

43005 readers
524 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.

Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.

Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here. This includes using AI responses and summaries.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 2 years ago
MODERATORS
L3s@lemmy.world
technopagan@lemmy.world
jeffw@lemmy.world
L3s@hackingne.ws