Conversation

Notices

1. Embed this notice
   Jamie (suprjami@fosstodon.org)'s status on Wednesday, 07-Jun-2023 21:27:13 JST Jamie

   The new ".zip" domain is being used almost solely for malware. Some of the clicks are very deceptive, even to technically knowledgeable people. See the attached image for an example.

   You can block all zip domains with the following uBlock Origin rule:

   ||zip^

   Tell everyone you know.

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Wednesday, 07-Jun-2023 22:54:03 JST feld

     in reply to

     • Jim
     Show me a browser that parses that URL in such a way that everything before the @ is treated as HTTP Basic authentication?
   • Embed this notice
     Jim (sullybiker@sully.site)'s status on Wednesday, 07-Jun-2023 22:54:04 JST Jim

     in reply to

     @suprjami Didn't virtually every infosec person say this would happen?

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Wednesday, 07-Jun-2023 22:58:19 JST feld

     in reply to

     • feld
     • Jim
     Let's try trurl, the URL parsing logic for Curl
     
     oh look, it does the right thing too
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Wednesday, 07-Jun-2023 23:03:28 JST feld

     in reply to

     • feld
     • Jim
     Ruby:
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Wednesday, 07-Jun-2023 23:05:24 JST feld

     in reply to

     • feld
     • Jim
     Python urllib3
   • Embed this notice
     Doughnut Lollipop 【記録係】:blobfoxgooglymlem: (tk@bbs.kawa-kun.com)'s status on Wednesday, 07-Jun-2023 23:11:15 JST Doughnut Lollipop 【記録係】:blobfoxgooglymlem:

     in reply to

     • feld
     • SlicerDicer
     @SlicerDicer @feld https://12022021endofinternet.com/
   • Embed this notice
     SlicerDicer (slicerdicer@bikeshed.party)'s status on Wednesday, 07-Jun-2023 23:11:16 JST SlicerDicer

     in reply to

     • feld
     @feld Still confused if paper is the problem or not.
     
     In the meantime? The solution is to ban the internet.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Thursday, 08-Jun-2023 12:32:52 JST feld

     in reply to

     • Der Teilweise
     Ok, but this is a problem that can be solved with a tiny patch that won't break anything: disallow HTTP basic auth embedded in URLs if any character codepoint is > 127. Require a pop up to enter the user/pass or just give an error about an invalid URL.
     
     Unicode characters here should definitely need to be explicitly encoded as base64 for the Authorization header.
     
     Anyone who *needs* this to work with Unicode characters can piss off. I'm willing to bet the RFCs don't have any MUST or SHOULD that mention non-ASCII characters be allowed here.
     
     Tada, we fixed it and everyone can put down their keyboards and stop crying about new TLDs
   • Embed this notice
     Der Teilweise (teilweise@layer8.space)'s status on Thursday, 08-Jun-2023 12:33:00 JST Der Teilweise

     in reply to

     • feld

     @feld Try to copy & paste this URL: https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
     (Not everything that looks like a ∕ is a /.)

     The problem with .zip is that it is widely seen as a “safe” extension. (Otherwise .com would have been an even bigger problem …)

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Thursday, 08-Jun-2023 22:25:39 JST feld

     in reply to

     • Der Teilweise
     @teilweise Stop using basic auth and join us in the 21st century. It's not like you couldn't just change your username.
     
     If you were using LDAP, AD, Kerberos, OAuth, OpenID, etc you wouldn't be able to use HTTP Basic auth anyway.
     
     Complaining that you can't use Unicode characters that didn't even exist when the RFC was written is hilarious though.
   • Embed this notice
     Der Teilweise (teilweise@layer8.space)'s status on Thursday, 08-Jun-2023 22:25:41 JST Der Teilweise

     in reply to

     • feld

     @feld Sure, I’ll change my name to not contain unicode characters.

     Nobody needs unicode. Actually, BCDIC was good enough. Nobody needs uppercase characters in URLs.

     It’s OK, I will just piss off.

     Welcome to the kill file.

   • Embed this notice
     hypolite (hypolite@friendica.mrpetovan.com)'s status on Friday, 23-Jun-2023 13:03:38 JST hypolite

     in reply to

     • musenhain
     @musenhain @suprjami Funnily enough, your first URL isn’t what what written in the image. Notice how the forward slashes in the first path are more angled the first two after “http:”, which means they are special characters actually part of the domain name with the .zip top-level domain.
   • Embed this notice
     musenhain (musenhain@friendica.andreaskilgus.de)'s status on Friday, 23-Jun-2023 13:03:40 JST musenhain

     in reply to

     @suprjami Content of image:
     "Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

     github.com∕kubernetes∕kube…

     github.com/kubernetes/kubernet…

     [Edit: Corrected the slashes being part of the domain name in the first link. Hint by @hypolite@friendica.mrpetovan.com]

   • Embed this notice
     this.ven (thisven@digitalcourage.social)'s status on Friday, 23-Jun-2023 13:05:57 JST this.ven

     in reply to

     • hypolite
     • musenhain

     @hypolite @musenhain @suprjami That's tricky phishing. 👿 At first, I wasn't able to recognize the different characters replacing the slashes. I would have probably clicked such a link, if it had appeared in a resource from a trustworthy source. 😅

     Even the @ character wasn't suspicious as :mastodon: #Mastodon user profile URLs also use them, for example. Without directly comparing it to the same URL it's hard to distinguish the first one especially depending on the font:

     https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip ❌

     https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip ✔️

   • Embed this notice
     this.ven (thisven@digitalcourage.social)'s status on Friday, 23-Jun-2023 21:45:59 JST this.ven

     in reply to

     • Tusky
     • hypolite
     • musenhain

     @hypolite @musenhain @suprjami Yeah, I already noticed that when writing the reply in @Tusky. #BugOrFeature? 😄

   • Embed this notice
     hypolite (hypolite@friendica.mrpetovan.com)'s status on Friday, 23-Jun-2023 21:46:00 JST hypolite

     in reply to

     • musenhain
     • this.ven
     @thisven @musenhain @suprjami Funnily enough #Friendica ‘s automatic URL linker in posts doesn’t match the malicious link: