newsletter banner

ISSUE 20.22.F • 2023-05-29 • Text Alerts!Gift Certificates
You’re reading the FREE newsletter

Susan Bradley

You’ll immediately gain access to the longer, better version of the newsletter if you make a donation and become a Plus Member. You’ll receive all the articles shown in the table of contents below, plus access to all our premium content for the next 12 months. And you’ll have access to our complete newsletter archive!

Upgrade to Plus membership today and enjoy all the Plus benefits!

In this issue

PUBLIC DEFENDER: Beware of Google’s .ZIP domain and password-embedded URLs

Additional articles in the PLUS issue

ONENOTE: Longstanding feature requests, and their status

FREEWARE SPOTLIGHT: Three typing tutors — no more “hunt and peck”

ON SECURITY: Is online banking secure?

We help teams move faster

The first project management platform built for users by users.


Beware of Google’s .ZIP domain and password-embedded URLs

Brian Livingston

By Brian Livingston

The security community is up in arms, because Google this month started selling domain names with deceptive endings such as .zip and .mov.

Even worse, some browsers are allowing usernames and passwords to be embedded into URLs. This means following a link can expose users to viruses without any explicit action (such as clicking “OK”).

Internet-standards bodies years ago prohibited usernames and passwords in URLs — but hackers still do it.

Google sells .zip, .mov, and other top-level domains
Figure 1. This month, Google started selling domain names that end in “.zip,” “.mov,” and other familiar-sounding extensions.Source: Google webpage

And the official Internet Corporation for Assigned Names and Numbers (ICANN) has enthusiastically added misleading top-level domains (TLDs) such as .zip and .mov to the 1,640 other TLDs from which the organization already collects registration fees.

Yet more domains that sound like legitimate file extensions

The outrage began a few days ago, when Google announced that it was starting to sell domain names in eight new TLDs that ICANN had licensed to the search giant. Someone in Mountain View obviously thought domain names in the following TLDs would sound groovy. More importantly, the novel domains would cause people to buy a lot of such names from Google for $15 a year and up:

  • *.dad, *.esq., *.foo, *.nexus, *.phd, *.prof, *.mov, *.zip

No one really needs vanity domain names such as these. But their flimsy rationale is not the point. The big problems relate to the last two TLDs in that list. For instance, sounds exactly like a compressed document, and sounds exactly like a clip from a motion picture.

But, in fact, both of those names — and potentially thousands more that Google will sell — would not be the filenames of actual documents or movies. Instead, clicking a URL containing such strings would take a user’s browser directly to the home page of a hacker’s website. The website might be named,, or some other variation that we might never suspect. (, anyone?)

During an innocent user’s visit to such a website, some random document or movie clip might actually be downloaded. This would make it appear to the user that nothing unusual had happened. But that decoy download would occur only after an infected executable had been silently installed on the user’s device.

Everything looks normal, but now you’re infected

The infinite possibilities for deception have been outlined by Bobbyrsec, the Medium handle of a well-known security researcher.

He shows one frightening way hackers can use the new .zip domain names. The technique involves Unicode characters that look almost precisely like the slashes we see in URLs every day. But instead of slashes, these “diagonal” Unicode characters mask the fact that the last thing on the line is actually a website, not a filename.

It’s now easy to make a fake site seem legit
Figure 2. When clicked by a user, Line 1 downloads a legitimate ZIP file. Line 2 replaces slashes with Unicode character 2215, sending the user to a website named that may silently install a virus. Line 3 shows how impossible it can be to notice a hacked URL. The crucial “@” sign in Example 2 has been formatted in Example 3 as 1-point type. The result is a gray speck that’s barely visible.Source: Illustration by author based on Medium article

In Figure 2, Unicode characters 2044 and 2215 look so much like ordinary slashes that most Web users would never notice the difference. These diagonals do have legitimate uses. One is written by mathematicians to form fractions (e.g., 4/5ths). The other is used in formulas to represent division (10/2=5).

The second line of Figure 2 uses these characters as bogus “slashes.” The true destination of the URL is a website we’ll call (The example is not a real website.) That domain name would belong to a hacker’s server. It wouldn’t be a legitimate .zip file of the open-source software known as Kubernetes.

A weakness in Chromium and some other browser technologies accepts deceptive letter-like shapes in URLs. The flaw was first described as long ago as February 2016 in a bug report (see Issue 584644). The vulnerability was soon rated “WontFix” by admins.

An essential aspect of the hack is shown in lines 2 and 3 of Figure 2. Unknown to most Web users, browsers generally ignore everything in a URL that precedes an “at” sign (@). This feature is exploited by hackers. They post what look like valid Internet paths, such as The true payload — — is cleverly placed at the URL’s end, where it looks like a typical ZIP file. (This is not the @ sign that’s familiar to us from email addresses. It’s what software engineers call a URL delimiter.)

To conceal the “at” sign, hackers can format the text of a URL so the crucial character is formatted as small as 1 pt. As shown in Example 3, that makes the @ so small that’s it’s nothing but a tiny gray pixel on-screen. Most people would never notice it.

Let’s look on the bright side. Google does.

Despite the howls from the security community, Google is still selling .zip and .mov domain names at this writing. In fact, the search giant has gone to some lengths to defend its promotion of unusual extensions. In a statement, Google says:

The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing). These mitigations will hold true for TLD’s such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as and

This explanation sidesteps the fact that sounds like an executable file. Many Web users would exercise reasonable caution before clicking such a name.

By contrast, and sound like mundane data files that users might not suspect. And there will soon be thousands of such alluring names — not just a single instance such as

Is this the worst hack ever? In a word, no. We’ll still continue to find ourselves besieged by the usual Trojan horses, spear-phishing spoofs, identity thefts, denial-of-service attacks, deepfake videos, and other miracles of our technological age. Google didn’t start the fire. Its choice of clever domain
names will just throw one more log onto the blaze.

Browser and antivirus vendors are already taking steps to stop the new domain names from getting out of control. For instance, maintains a database of “blacklist characters” that browsers should not accept in URLs. The number of banned bytes is now up to 188, with the inclusion of Unicode characters 2044 and 2215.

Whether we know it or not, all of us benefit to some degree from Web block lists. They might be compiled by browser makers, by our company’s IT department, or by our own reticence to click on sites we’re not sure of. Those defensive measures help a great deal. But staying one step ahead of hacker gangs is a never-ending battle, unfortunately.

What should you do about new domains such as .zip and .mov? You or your company may want to block every site using these TLDs — except for specific ones you’ve investigated and found to be legitimate. This may be a case when a domain name should be considered guilty until proven innocent.

Talk Bubbles Do you know something that we all should know? Tell me about it!
Send your story in confidence to
Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new fintech book Muscular Portfolios. Get his free monthly newsletter.


Here are the other stories in this week’s Plus Newsletter



Longstanding feature requests, and their status

By Mary Branscombe

We’ve been waiting a long time for the OneNote features promised in 2019.

I asked Microsoft to tell us what’s coming when.

The very first time I heard about OneNote, at a press briefing for Office 2003, I saw how useful it would be — but there were also some things that I thought wouldn’t work. I went over to talk to Microsoft’s Chris Pratley and spent the next 20 minutes trapping him in a corner between the wall and the lunch table, making suggestions and asking for changes, before a PR person tactfully extracted him.


Deanna McElveen

Three typing tutors — no more “hunt and peck”

By Deanna McElveen

Let’s face it, life is too short to be taking 30 minutes to type out an email or a witty Facebook rebuttal.

Today, I’m going to show you three best-of-the-best — and absolutely free — typing tutors. Each one is a bit different, and each one has some pretty nifty features. So sorry, Mavis Beacon. You’ve always been a nice lady, but you are getting expensive! There is always a free alternative.


Susan Bradley

Is online banking secure?

By Susan Bradley

Over the past few years, banks have been increasing their online footprint.

From mobile banking with cell phones to remote depositing with check scanners, banking has drastically changed. Some of the changes are forced on us due to the changing hours of operation at our local banks, but some of the changes enhance our ability to get our funds where we want them to be.

Know anyone who would benefit from this information? Please share!
Forward the email and encourage them to sign up via the online form — our public newsletter is free!

Enjoying the newsletter?

Become a PLUS member and get it all!

RoboForm box

Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice.

PLUS, these exclusive benefits:

  • Every article, delivered to your inbox
  • Four bonus issues per year, with original content
  • MS-DEFCON Alerts, delivered to your inbox
  • MS-DEFCON Alerts available via TEXT message
  • Special Plus Alerts, delivered to your inbox
  • Access to the complete archive of nearly two decades of newsletters
  • Identification as a Plus member in our popular forums
  • No ads

We’re supported by donations — choose any amount of $6 or more for a one-year membership.

Join Today buttonGift Certificate button

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.