Google's recent addition of eight new top-level domains (TLDs) to the Internet, including ".zip" and ".mov," has raised concerns among security experts. While Google marketers claim the new TLDs represent concepts like "tying things together" and "moving pictures," they are commonly used as extensions for archive files and video files. The worry is that when displayed in emails or social media, these TLDs can be automatically converted into clickable links, potentially leading users to malicious websites.
Security practitioners are warning that scammers could take advantage of this confusion by registering domain names similar to commonly used file names, luring people into clicking and downloading malicious content. For instance, a scammer could register a domain like "photos.zip" and trick users into downloading malware instead of a legitimate file.
Moreover, the use of Unicode characters in URLs can make malicious domains appear almost identical to legitimate ones, further complicating the matter. Critics argue that these new TLDs may facilitate phishing attacks and other forms of online deception.
While Google defended its use of these TLDs and highlighted browser mitigations such as Google Safe Browsing, which warns users of malicious websites, some security experts are calling for the removal of ".zip" and ".mov" from the public suffix list (PSL) to prevent their misuse.
The debate highlights the complexities and potential risks associated with introducing new TLDs, particularly those that may lead to confusion and increase the threat of online scams and phishing attacks. As the Internet continues to evolve, striking a balance between innovation and security remains an ongoing challenge for domain name management and regulation.