I don't really get why you'd pick a popular file extension as a TLD. It was bad enough when .java got registered, though that's worse because Oracle decided that the name of an island inhabiting over 150 million people was actually theirs to register (and ICANN want along with it).
The reason .java was approved is because the ISO-3166 designation is the Indonesian "Jawa" rather than the English "Java".[1]
Thinking about this, I can follow their reasoning, although I do find it a little bit too much following the letter of the rule rather than the spirit and perhaps some more thinking might have been prudent.
On the other hand, do we really want to give a special status to English? Using the local language seems to make sense to me – after all, Indonesian people will want to type "gojek.jawa" and not "gojek.java". And there are some questions: should we also consider placenames in Spanish and other widely used languages? Is a small town of 100 residents enough to prevent registration? etc.
I can't imagine those would ever be made available.
Fortunately, .zip seems less worrisome from a security perspective -- you don't execute a zip file. (Unless I'm missing where clicking on .zip files is an intermediary step in a common exploit?)
It's more just confusing from a usability perspective. Like, I don't want domains ending in .jpg or .mp4 or .doc or .txt either, you know? It's a benefit to be able to look at a string and usually be able to reason with high confidence whether it's a domain name or filename.
After we combined the search bar and address bar some queries turn into page loads. So before typing example.zip would perform a search, but now it leaks the terms out to my DNS server, usually in plaintext.
For TLDs that match popular file extensions, this risk is pretty high.
Enabling separate search and URL fields is one of the first things I do when setting up a browser, along with defaulting to DDG search.
Some of the old ccTLDs are offenders too. Too many times have I pasted a shell script's file name into the url bar and it starts loading a search result page.
For more sensitive use cases a better default will disabling search in the "omnibar" altogether like in ungoogled-chromium.
Why would it leak terms to the DNS in plaintext? Aren't most DNS servers encrypted between the client and server? I know that's true for DNS over HTTPS but I thought it was generally true as well these days
> Is this a common thing, where registrars (like Google) basically are now acting like squatters for domains that are actually open?
Yes, but it's kind of surprising to see Google doing it. I'm a bit shocked TBH. I always considered Charleston Road Registry (Google) to be "safe" in the context of not screwing users, but I guess that was a mistake.
Most of the ngTLD registries are run by business and finance people, not product people. IMO the only thing they understand is price discrimination. They're run by the kind of people that would see a dollar bill blowing in the wind and chase it off a cliff.
The biggest thing I don't want when registering a domain or managing a brand is uncertainty. However, the registries and ICANN have proven via their actions that registrants are secondary to the registries. The registries can, have, and will change pricing on existing registrants. ICANN allows it as long as it's a uniform pricing change (ie: everyone gets screwed equally).
Out of the original CNOBI (com, net, org, biz, info) domains I think .com and .net are the only ones with price controls left. I'm sure there will be effort to remove those in a short sighted money grab.
As-is, the only safe TLD is .com. It's the only one with enough registrants to resist getting screwed. All of the new TLDs are a huge risk because you have almost no rights as a registrant.
It's sad too. I think the new TLDs could be awesome for the internet if the registries were run by product people who understood that registrants need stability and long term guarantees. If anything they should be lobbying ICANN for price controls because it makes their product better for the customer. I'm sure Ethos Capital will get right on that [1]. Lol.
> In January 2021, Ethos Capital acquired Donuts after their failed bid to gain control over the .org internet domain.
I think Donuts is by far the largest TLD owner, so that gives an idea of how trustworthy the whole industry is IMO.
I guess the answer is a de-facto ‘yes, because it’s done now and we’d have to revoke registrations to undo it, which is too unpalatable’, but at least some of these are not in accordance with the TLD applications:
The mission of the proposed gTLD, .nexus, is to provide a dedicated domain space in which Google can enact second-level domains that relate to Nexus-related products and⁄or services. Specifically, the new gTLD will provide Google with greater ability to categorize its Nexus offerings online, and in-turn provide a more recognizable, branded, trusted web space to the general Internet population.
…
Charleston Road Registry believes that given its intended use by Google, the .nexus gTLD will best add value to the gTLD space by remaining completely closed for the sole use of Google.
…
Second-level domain names within the proposed gTLD are intended for registration and use by Google only, and domain names under the new gTLD will not be available to the general public for purchase, sale, or registration. As such, Charleston Road Registry intends to apply for an exemption to the ICANN Registry Operator Code of Conduct as Google is intended to be the sole registrar and registrant.
This behavior doesn't depend on TLDs. A href will be to the local origin unless it starts with a protocol ("https://example.com") or two slashes (protocol-relative link, like "//example.com"). (The rest of the rules are that if an href starts with a single slash, then it will be a domain-relative link, otherwise it will be relative to the current URL's path.)
[+] [-] jeroenhd|2 years ago|reply
I don't really get why you'd pick a popular file extension as a TLD. It was bad enough when .java got registered, though that's worse because Oracle decided that the name of an island inhabiting over 150 million people was actually theirs to register (and ICANN want along with it).
[+] [-] arp242|2 years ago|reply
Thinking about this, I can follow their reasoning, although I do find it a little bit too much following the letter of the rule rather than the spirit and perhaps some more thinking might have been prudent.
On the other hand, do we really want to give a special status to English? Using the local language seems to make sense to me – after all, Indonesian people will want to type "gojek.jawa" and not "gojek.java". And there are some questions: should we also consider placenames in Spanish and other widely used languages? Is a small town of 100 residents enough to prevent registration? etc.
[1]: https://gtldcomment.icann.org/applicationcomment/commentdeta...
[+] [-] dragonwriter|2 years ago|reply
Well, we’ve had .com, for a while (though its no longer that popular as a file extension, but…), so…
[+] [-] crazygringo|2 years ago|reply
Fortunately, .zip seems less worrisome from a security perspective -- you don't execute a zip file. (Unless I'm missing where clicking on .zip files is an intermediary step in a common exploit?)
It's more just confusing from a usability perspective. Like, I don't want domains ending in .jpg or .mp4 or .doc or .txt either, you know? It's a benefit to be able to look at a string and usually be able to reason with high confidence whether it's a domain name or filename.
It definitely feels weird to me.
[+] [-] meragrin_|2 years ago|reply
[+] [-] rozularen|2 years ago|reply
[+] [-] 8organicbits|2 years ago|reply
For TLDs that match popular file extensions, this risk is pretty high.
Enabling separate search and URL fields is one of the first things I do when setting up a browser, along with defaulting to DDG search.
[+] [-] nequo|2 years ago|reply
[+] [-] gaudat|2 years ago|reply
For more sensitive use cases a better default will disabling search in the "omnibar" altogether like in ungoogled-chromium.
[+] [-] rgrmrts|2 years ago|reply
[+] [-] atonse|2 years ago|reply
Is this a common thing, where registrars (like Google) basically are now acting like squatters for domains that are actually open?
[+] [-] donmcronald|2 years ago|reply
Yes, but it's kind of surprising to see Google doing it. I'm a bit shocked TBH. I always considered Charleston Road Registry (Google) to be "safe" in the context of not screwing users, but I guess that was a mistake.
Most of the ngTLD registries are run by business and finance people, not product people. IMO the only thing they understand is price discrimination. They're run by the kind of people that would see a dollar bill blowing in the wind and chase it off a cliff.
The biggest thing I don't want when registering a domain or managing a brand is uncertainty. However, the registries and ICANN have proven via their actions that registrants are secondary to the registries. The registries can, have, and will change pricing on existing registrants. ICANN allows it as long as it's a uniform pricing change (ie: everyone gets screwed equally).
Out of the original CNOBI (com, net, org, biz, info) domains I think .com and .net are the only ones with price controls left. I'm sure there will be effort to remove those in a short sighted money grab.
As-is, the only safe TLD is .com. It's the only one with enough registrants to resist getting screwed. All of the new TLDs are a huge risk because you have almost no rights as a registrant.
It's sad too. I think the new TLDs could be awesome for the internet if the registries were run by product people who understood that registrants need stability and long term guarantees. If anything they should be lobbying ICANN for price controls because it makes their product better for the customer. I'm sure Ethos Capital will get right on that [1]. Lol.
> In January 2021, Ethos Capital acquired Donuts after their failed bid to gain control over the .org internet domain.
I think Donuts is by far the largest TLD owner, so that gives an idea of how trustworthy the whole industry is IMO.
[+] [-] thiht|2 years ago|reply
It’s a business, nothing new under the sun.
[+] [-] morkalork|2 years ago|reply
[+] [-] meinheld111|2 years ago|reply
[+] [-] adamhearn|2 years ago|reply
[+] [-] fckgw|2 years ago|reply
[+] [-] TZubiri|2 years ago|reply
[+] [-] adsfoiu1|2 years ago|reply
[+] [-] jrmg|2 years ago|reply
I guess the answer is a de-facto ‘yes, because it’s done now and we’d have to revoke registrations to undo it, which is too unpalatable’, but at least some of these are not in accordance with the TLD applications:
From https://icannwiki.org/.nexus:
The mission of the proposed gTLD, .nexus, is to provide a dedicated domain space in which Google can enact second-level domains that relate to Nexus-related products and⁄or services. Specifically, the new gTLD will provide Google with greater ability to categorize its Nexus offerings online, and in-turn provide a more recognizable, branded, trusted web space to the general Internet population.
…
Charleston Road Registry believes that given its intended use by Google, the .nexus gTLD will best add value to the gTLD space by remaining completely closed for the sole use of Google.
…
Second-level domain names within the proposed gTLD are intended for registration and use by Google only, and domain names under the new gTLD will not be available to the general public for purchase, sale, or registration. As such, Charleston Road Registry intends to apply for an exemption to the ICANN Registry Operator Code of Conduct as Google is intended to be the sole registrar and registrant.
[+] [-] version_five|2 years ago|reply
[+] [-] dang|2 years ago|reply
The .zip TLD sucks - https://news.ycombinator.com/item?id=35920336 - May 2023 (254 comments)
[+] [-] MrZander|2 years ago|reply
Will the browser navigate to an external site or will it try to download google.zip?
[+] [-] AgentME|2 years ago|reply
[+] [-] herpderperator|2 years ago|reply
[+] [-] nevi-me|2 years ago|reply
For it to be a domain name it should at minimal be href="//google.zip", where the browser will inherit your current protocol.
[+] [-] jasonjayr|2 years ago|reply
You would need (at a minimum) '//google.zip' to trigger a cross-domain link
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] kkwtflz|2 years ago|reply
[+] [-] sashk|2 years ago|reply
[+] [-] superfrank|2 years ago|reply
[+] [-] adzm|2 years ago|reply
[+] [-] senectus1|2 years ago|reply
[+] [-] whoomp12342|2 years ago|reply
[+] [-] jo-m|2 years ago|reply
[+] [-] wild_pointer|2 years ago|reply
[+] [-] rtvkiz|2 years ago|reply