{"id":19509,"date":"2023-05-26T13:56:20","date_gmt":"2023-05-26T12:56:20","guid":{"rendered":"https:\/\/exa.net.uk\/?p=19509"},"modified":"2024-05-15T16:58:06","modified_gmt":"2024-05-15T15:58:06","slug":"googles-zip-mov-tlds","status":"publish","type":"post","link":"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/googles-zip-mov-tlds\/","title":{"rendered":"Google&#8217;s .zip &#038; .mov TLDs &#8211; Blocking phishing URLs"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"19509\" data-post-id=\"19509\" data-obj-id=\"19509\" class=\"elementor elementor-19509 dce-elementor-post-19509\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-2e642dc0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-dce-background-image-url=\"https:\/\/exa.net.uk\/wp-content\/uploads\/2022\/11\/blog-post-top.png\" data-id=\"2e642dc0\" data-element_type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;6d8e4b3&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:null,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-56af8b04\" data-id=\"56af8b04\" data-element_type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div data-dce-background-color=\"#FFFFFF\" class=\"elementor-element elementor-element-3a1d4750 master-btn-width elementor-mobile-align-center elementor-widget__width-auto elementor-widget-mobile__width-inherit elementor-absolute elementor-widget elementor-widget-button\" data-id=\"3a1d4750\" data-element_type=\"widget\" data-settings=\"{&quot;_position&quot;:&quot;absolute&quot;}\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/exa.net.uk\/knowledge-hub\/\" target=\"_blank\" rel=\"noopener\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t<span class=\"elementor-button-icon\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-caret-left\"><\/i>\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Knowledge Hub<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7553618a elementor-widget__width-auto elementor-widget elementor-widget-heading\" data-id=\"7553618a\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Knowledge <span class=\"lightblue\">Hub<\/span><sup class=\"blog-tm\">TM<\/sup><span class=\"hub-image\"><img decoding=\"async\" src=\"https:\/\/exa.net.uk\/wp-content\/uploads\/2021\/02\/education.svg\" alt=\"\" title=\"\"><\/span><\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2b0479e9 elementor-widget__width-initial elementor-widget elementor-widget-theme-post-title elementor-page-title elementor-widget-heading\" data-id=\"2b0479e9\" data-element_type=\"widget\" data-widget_type=\"theme-post-title.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Google&#8217;s .zip &#038; .mov TLDs &#8211; Blocking phishing URLs<\/h1>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-103f2b65 elementor-widget__width-initial elementor-hidden-phone elementor-widget elementor-widget-spacer\" data-id=\"103f2b65\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-545bb243 elementor-mobile-align-center elementor-align-center elementor-widget__width-initial post-info elementor-widget elementor-widget-post-info\" data-id=\"545bb243\" data-element_type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-ba9c996 elementor-inline-item\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t<span class=\"elementor-post-info__item-prefix\">Date Posted:<\/span>\n\t\t\t\t\t\t\t\t\t\t<time>26.05.2023<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-7e61590 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t<span class=\"elementor-post-info__item-prefix\">Read time:<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">11 min read<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-a339c7b elementor-inline-item\" itemprop=\"author\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-author\">\n\t\t\t\t\t\t\t<span class=\"elementor-post-info__item-prefix\">Written by:<\/span>\n\t\t\t\t\t\t\t\t\t\tExa Networks\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-33be5e0b elementor-widget__width-initial elementor-hidden-phone elementor-widget elementor-widget-spacer\" data-id=\"33be5e0b\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-8587caa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8587caa\" data-element_type=\"section\" id=\"main-article\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;5fc546a&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:null,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-3bf7379a\" data-id=\"3bf7379a\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7caea28c custom-posts elementor-widget elementor-widget-text-editor\" data-id=\"7caea28c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h4>The launch of\u00a0Google&#8217;s\u00a0.zip and .mov top level domains (TLDs) engendered controversy from the security community and internet at large, due to the\u00a0opportunity they present for crafting increasingly plausible looking phishing URLs.<\/h4><p>On the face of it, we assumed that the issue would likely warrant a cursory investigation and marketing response to help raise\u00a0awareness of the tell-tale signs to look out for. However, in forming our response we realised that we could make changes to the way we\u00a0parse and filter URLs to better guard against spoofing attacks.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2705284 elementor-widget elementor-widget-heading\" data-id=\"2705284\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Fool me once<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-234845f1 elementor-widget elementor-widget-text-editor\" data-id=\"234845f1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Amid the controversy, a <a href=\"https:\/\/medium.com\/@bobbyrsec\/the-dangers-of-googles-zip-tld-5e1e675e59a5)\" target=\"_blank\" rel=\"noopener\">post<\/a>\u00a0by security researcher\u00a0Bobby Rauch highlights how an attacker might use the .zip TLD, posing a simple question:<\/p><blockquote><p>Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?<\/p><p>https:\/\/github.com\u2215kubernetes\u2215kubernetes\u2215archive\u2215refs\u2215tags\u2215@v1271.zip<\/p><p>https:\/\/github.com\/kubernetes\/kubernetes\/archive\/refs\/tags\/v1.27.1.zip<\/p><\/blockquote><p>We came across this example published with no context in a link to the full post, and heedless of the URL parsing experience\u00a0that we&#8217;ve built (developing and running a service that handles about 1 billion web requests a day) it was initially hard for our R&amp;D\u00a0architect to distinguish.<\/p><p>&#8220;Ah!&#8221;, I said &#8220;I see where a naive parser might go\u00a0wrong&#8221;.<\/p><p>I then proceeded to mechanically quote <span style=\"color: #0000ff;\"><a style=\"color: #0000ff;\" href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc1738\" target=\"_blank\" rel=\"noopener\">the<\/a><\/span>\u00a0<a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc3986\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">RFCs<\/span><\/a>\u00a0and point out that the first slash terminates the *authority* section of a URL so, while it may look at first glance like everything before\u00a0the &#8216;@&#8217; character might be interpreted as *userinfo* for the host `v1271.zip`, we were actually perfectly safe.<\/p><p>Intercepting all of the web traffic that originates from our schools throws up some unique challenges. We end up filtering requests from\u00a0a mix of up-to-date browsers, old software that implements old and obsoleted specs, or applications that speak non-RFC compliant HTTP dialects,<span class=\"Apple-converted-space\">\u00a0<\/span>with a dedicated backend service and were never expected to speak with an actual web server or proxy. This means that we have to detect and\u00a0gracefully handle a host of quirky behaviours, to avoid breaking the software our customers depend on. But we&#8217;re stricter about the way that we\u00a0interpret URLs to ensure against any ambiguity that may lead to incorrectly applied filtering.<\/p><p>Usually it&#8217;s the job of the web browser to parse the URL as you see it in the URL bar, which is then written in a different format inside an\u00a0actual HTTP request. Notably, the host and *userinfo* components get written into dedicated header fields while the URL-path is provided as a\u00a0URI as part of the initial request line. Parsing becomes a little more complicated when your browser is explicitly configured to use a proxy\u00a0server. The intermediary is expected to accept an absolute-form URI that&#8217;s identical to the full URL, but the upshot of filtering HTTP\u00a0requests is that they rely on the client to tell us where you want to go.<\/p><p>Since we trust major browsers to perform this task safely, I reasoned that our users were no more exposed to phishing attacks than if the\u00a0URL pointed to a host under any other TLD.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5209ba5 elementor-widget elementor-widget-heading\" data-id=\"5209ba5\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">The dangers of unicode<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3a5dd022 elementor-widget elementor-widget-text-editor\" data-id=\"3a5dd022\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The eagle-eyed among us have probably already noticed that the slashes in our two candidate URLs don&#8217;t quite look the same. That&#8217;s because, while\u00a0the legitimate URL uses the expected, ASCII-defined slash (&#8220;\/&#8221;) character to delimit path segments, the phishing example employs some cunning\u00a0sleight-of-hand to replace slashes with a look-alike unicode character.<\/p><p>It&#8217;s relatively easy to see the difference when you&#8217;re directly comparing two side-by-side examples, but the replacement is far harder to notice<\/p><p>when clicking on a link that shown on it&#8217;s own, particularly when the *protocol* component of the URL is omitted:<\/p><blockquote><p>github.com\u2215kubernetes\u2215kubernetes\u2215archive\u2215refs\u2215tags\u2215@v1271.zip<\/p><\/blockquote><p>The effect is easier to describe with this visualisation:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2ae57a8 dce_masking-none elementor-widget elementor-widget-image\" data-id=\"2ae57a8\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"116\" src=\"https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2023\/05\/image-3-1024x116.png\" class=\"attachment-large size-large wp-image-19521\" alt=\"google&#039;s .zip &amp; .mov TLDs\" srcset=\"https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2023\/05\/image-3-1024x116.png 1024w, https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2023\/05\/image-3-300x34.png 300w, https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2023\/05\/image-3-768x87.png 768w, https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2023\/05\/image-3-1536x175.png 1536w, https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2023\/05\/image-3.png 1751w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" title=\"\">\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1df3e14 elementor-widget elementor-widget-text-editor\" data-id=\"1df3e14\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Because there&#8217;s no actual slash character in what we thought to be the path, this substition means that &#8220;correct&#8221; parsing of the URL will interpret\u00a0everything on the left of the &#8216;@&#8217; as authentication data, while the host and path are expected on the right. This means that the link actually\u00a0takes you to v1271.zip, which is a valid hostname with the newly introduced TLD.\u200b<\/p><p>Even when we knew to look for unexpected behaviour in one of the example URLs,\u00a0examining the correctness of the parser completely missed the point of the vulnerability: we assumed the &#8216;@&#8217; character to be safe because we\u00a0erroneously thought it belonged to a portion of the URL in which it has no particular meaning, rather than actually delimiting the *userinfo*\u00a0subcomponent from the rest of the *authority*.\u200b<\/p><p>Note that SurfProtect will in this case still apply your school&#8217;s filtering policy to the actual host you&#8217;re being directed to, but phishing\u00a0attempts aren&#8217;t simple to classify based on the content they serve alone, and we&#8217;d rather find a safer solution for guarding against users\u00a0being tricked.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9c2224a elementor-widget elementor-widget-heading\" data-id=\"9c2224a\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">An attack on .zip<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6ae7ceb2 elementor-widget elementor-widget-text-editor\" data-id=\"6ae7ceb2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The claim that we&#8217;re dubious of is that the problem is somehow caused by the the introduction of the new .zip and .mov TLDs.<\/p><p>While it&#8217;s true that the collision with a popular file extension helps to hide the fact that there&#8217;s even another potential hostname that appears\u00a0after the &#8216;@&#8217; character, the post&#8217;s own URL demonstrates that there are other viable concealment methods:<\/p><blockquote><p>https:\/\/medium.com\/@bobbyrsec\/the-dangers-of-googles-zip-tld-5e1e675e59a5<\/p><\/blockquote><p>If that format doesn&#8217;t worry users then it&#8217;s unlikely that anyone would be alarmed by this similar format:<\/p><blockquote><p>medium.com\u2215@pepperoni.pizza\u2215the-dangers-of-too-much-cheese-5e1e675e59a5<\/p><\/blockquote><p>And we suspect that internationalized domain names will sufficiently obfuscate even long-established country-specific TLDs for users to follow\u00a0links without concern:<\/p><blockquote><p>http:\/\/www.microsoft.com\u2215articles\u2215@xn--bb-eka.at\/de\/reiseplanung-services\/vor-ihrer-reise\/reservierung-sitzplatz<\/p><\/blockquote>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ded0578 elementor-widget elementor-widget-heading\" data-id=\"ded0578\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Our Response<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5e1370cc elementor-widget elementor-widget-text-editor\" data-id=\"5e1370cc\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Many organisations are now apparently recommending that people block access to these new TLDs, and schools can certainly do so if they wish by\u00a0<span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">adding entries for `.zip` and `.mov` to their url blocklists within the <a href=\"https:\/\/panel.surfprotect.co.uk\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">SurfProtect panel<\/span>.<\/a><\/span><\/p><p><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">Contrary to this advice, however, we believe that blocking access to ICANN-approved TLDs that are not reserved for any specific category of\u00a0<\/span><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">content, would be neither an appropriate action for a content filtering system, nor an effective countermeasure to combat the threat of the spoofing\u00a0<\/span><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">attacks discussed in this article. Instead, we will update SurfProtect&#8217;s URL filtering to block access to any URL that contains unicode within the\u00a0<\/span><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">*userinfo* field (which subsumes the obsoleted username:password portion from RFC1738).<\/span><\/p><p><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">It is believed that this response will better protect users from the threat of phishing by ensuring that the components of a URL can be identified\u00a0<\/span><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">through visual inspection.<\/span><\/p><p>This action will not prevent users from being misled by all phishing URLs, since correct interpretation is still required to identify the values of\u00a0<span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">each component within a URL. In the <\/span><span style=\"font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size ); color: #0000ff;\"><a style=\"color: #0000ff;\" href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc3986#section-7.6\" target=\"_blank\" rel=\"noopener\">example provided in RFC3986<\/a><\/span><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">, it is noted that<\/span><\/p><blockquote><p>`ftp:\/\/cnn.example.com&amp;story=breaking_news@10.0.0.1\/top_story.htm`<\/p><p>&#8220;might lead a human user to assume that the host is &#8216;cnn.example.com&#8217;, whereas it is actually &#8216;10.0.0.1&#8217;&#8221;.<\/p><\/blockquote><p><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-size: var( --e-global-typography-text-font-size );\">While we can successfully block some attacks, we still recommend that user education is necessary to effectively combat the <a href=\"https:\/\/exa.net.uk\/protect-school-ransomware-attacks\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">risk of phishing.<\/span><\/a><\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-inner-section elementor-element elementor-element-306a1079 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"306a1079\" data-element_type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;62e95af&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:null,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-2f96de0b\" data-id=\"2f96de0b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-57c995e0 next-read-section elementor-widget elementor-widget-heading\" data-id=\"57c995e0\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<p class=\"elementor-heading-title elementor-size-default\"><span class=\"lightblue\">Suggested<\/span> Next Read <span class=\"lightblue\"><i class=\"fas fa-caret-right\"><\/i><\/span><\/p>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-4ae5de96\" data-id=\"4ae5de96\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d8dcf6f custom-slider blog-slide custom-slider-green elementor-widget__width-initial elementor-widget elementor-widget-ucaddon_uc_card_post_carousel_blog\" data-id=\"d8dcf6f\" data-element_type=\"widget\" data-widget_type=\"ucaddon_uc_card_post_carousel_blog.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\n<!-- start Card Post Carousel - Blog -->\n\t\t<link id='font-awesome-css' href='https:\/\/edit.exa.net.uk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/font-awesome6\/fontawesome-all.min.css' type='text\/css' rel='stylesheet' >\n\t\t<link id='font-awesome-4-shim-css' href='https:\/\/edit.exa.net.uk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/font-awesome6\/fontawesome-v4-shims.min.css' type='text\/css' rel='stylesheet' >\n\t\t<link id='owl-carousel-css' href='https:\/\/edit.exa.net.uk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/owl-carousel\/assets\/owl.carousel.css' type='text\/css' rel='stylesheet' >\n\n<style>\/* widget: Card Post Carousel - Blog *\/\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f *{\n  box-sizing:border-box;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f{\n  position:relative;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .uc_image_carousel_content{\n\ttext-align:left;\n    display: flex;\n     flex-flow: column nowrap;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .ue_post_carousel_item\n{\n  overflow:hidden;\n  \n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .ue_post_btn_holder\n{\n  margin-top:auto;\n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .uc_more_btn{\n\n  display:inline-block;\n  text-align:center;\n  text-decoration:none;\n} \n\n.uc_overlay_image_carousel .uc_more_btn{\n  text-decoration:none;\n  display:inline-block;\n}\n\n.uc_overlay_image_carousel .uc_post_title{\n  font-size:21px;\n  text-decoration:none;\n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-nav .owl-prev{\n    position:absolute;\n    left:-40px;\n    display:inline-block;\n    text-align:center;\n}\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-nav .owl-next{\n  position:absolute;\n    right:-40px;\n  display:inline-block;\n  text-align:center;\n}\n\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-dots {\noverflow:hidden;\ndisplay:false !important;\ntext-align:center;\n}\n\n#uc_uc_card_post_carousel_blog_elementor_d8dcf6f .owl-dot {\nborder-radius:50%;\ndisplay:inline-block;\n}\n\n<\/style>\n\n<div class=\"uc_overlay_image_carousel\" id=\"uc_uc_card_post_carousel_blog_elementor_d8dcf6f\" style=\"direction:ltr;\">\n   <div class=\"uc_carousel owl-carousel owl-theme\">\n   \t\t<div class=\"uc_image_carousel_container_holder ue_post_carousel_item\">\n  <div class=\"uc_image_carousel_placeholder\">\n    <a href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/ensuring-robust-security-through-regular-firewall-updates\/\">\n\t\t\n      <div class=\"custom-slider-bg\" style=\"background-image:url(https:\/\/edit.exa.net.uk\/wp-content\/uploads\/2021\/03\/fortinet-logo.svg); background-size:cover; background-position:center; height:115px;\">\n\t\t<div class=\"color-bg\">\n\t\t\t<div class=\"content-info\">\n\t\t\t\t<a href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/ensuring-robust-security-through-regular-firewall-updates\/\" style=\"text-decoration:none;\"><div class=\"uc_post_title\" style=\"text-decoration:none;\">Ensuring Robust Security Through Regular Firewall Updates<\/div><\/a>\t\t\t<\/div>\n\t\t\n\t\t<\/div>\n      <\/div>\n\t<\/a>\n  <\/div>\n\n  <div class=\"uc_image_carousel_content\" >\n    <a class=\"post-link\" href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/ensuring-robust-security-through-regular-firewall-updates\/\">Read Next<\/a>  <\/div>\n<\/div>\n\n   <\/div>\t\n<\/div>\n<!-- end Card Post Carousel - Blog -->\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<div class=\"elementor-element elementor-element-56c79c98 elementor-widget__width-initial elementor-hidden-phone elementor-widget elementor-widget-spacer\" data-id=\"56c79c98\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"has_eae_slider jet-sticky-column elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-52f48463\" data-jet-settings=\"{&quot;id&quot;:&quot;52f48463&quot;,&quot;sticky&quot;:true,&quot;topSpacing&quot;:155,&quot;bottomSpacing&quot;:50,&quot;stickyOn&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}\" data-id=\"52f48463\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5b42788c elementor-widget elementor-widget-heading\" data-id=\"5b42788c\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"lightblue\">Related<\/span> Knowledge <span class=\"lightblue\">Hub<\/span>&trade; Articles<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-613dd224 elementor-grid-1 elementor-grid-tablet-1 elementor-posts--thumbnail-top elementor-grid-mobile-1 elementor-widget elementor-widget-posts\" data-id=\"613dd224\" data-element_type=\"widget\" data-settings=\"{&quot;custom_columns&quot;:&quot;1&quot;,&quot;custom_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:25,&quot;sizes&quot;:[]},&quot;custom_columns_tablet&quot;:&quot;1&quot;,&quot;custom_columns_mobile&quot;:&quot;1&quot;,&quot;custom_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;custom_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"posts.custom\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t      <div class=\"ecs-posts elementor-posts-container elementor-posts   elementor-grid elementor-posts--skin-custom\" data-settings=\"{&quot;current_page&quot;:1,&quot;max_num_pages&quot;:0,&quot;load_method&quot;:&quot;&quot;,&quot;widget_id&quot;:&quot;613dd224&quot;,&quot;post_id&quot;:19509,&quot;theme_id&quot;:19509,&quot;change_url&quot;:false,&quot;reinit_js&quot;:false}\">\n      <div class=\"elementor-posts-nothing-found\"><\/div>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6bf5c137 next-read-section elementor-widget elementor-widget-heading\" data-id=\"6bf5c137\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<p class=\"elementor-heading-title elementor-size-default\"><a href=\"https:\/\/exa.net.uk\/knowledge-hub\/\" target=\"_blank\" rel=\"noopener\">Knowledge <span class=\"lightblue\">Hub<\/span>&trade; <span class=\"lightblue\">Home<\/span> <i class=\"fas fa-chevron-right\"><\/i><\/a><\/p>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Knowledge Hub Knowledge HubTM The launch of\u00a0Google&#8217;s\u00a0.zip and .mov top level domains (TLDs) engendered controversy from the security community and internet at large, due to the\u00a0opportunity they present for crafting increasingly plausible looking phishing URLs. On the face of it, we assumed that the issue would likely warrant a cursory investigation and marketing response to &#8230; <a title=\"Google&#8217;s .zip &#038; .mov TLDs &#8211; Blocking phishing URLs\" class=\"read-more\" href=\"https:\/\/edit.exa.net.uk\/knowledge-hub\/technical\/googles-zip-mov-tlds\/\" aria-label=\"Read more about Google&#8217;s .zip &#038; .mov TLDs &#8211; Blocking phishing URLs\">Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":19542,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_header_footer","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[73],"tags":[29],"class_list":["post-19509","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technical","tag-11-min-read"],"_links":{"self":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts\/19509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/comments?post=19509"}],"version-history":[{"count":1,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts\/19509\/revisions"}],"predecessor-version":[{"id":24012,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/posts\/19509\/revisions\/24012"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/media\/19542"}],"wp:attachment":[{"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/media?parent=19509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/categories?post=19509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/edit.exa.net.uk\/wp-json\/wp\/v2\/tags?post=19509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}