[Coco] Big Security Issue
Andrew
keeper63 at cox.net
Sat May 27 16:24:50 EDT 2023
Didn't watch the video, but based on the replies here, and some
googling, I'm taking that it's this:
https://www.theregister.com/2023/05/17/google_zip_mov_domains/
As that article states, this kind of thing could already be done, and
blocking .zip TLDs seems extreme, as there are at least a couple of TLDs
that could be used in the same manner, as they noted:
.com (Microsoft's .COM files back in the bad-ole DOS days)
.pl (Perl script file extension - but also TLD for Poland)
Maybe it's because those extensions don't mean anything like a ".zip"
extension still does to many users, which is why such a thing wasn't tried?
Even so, going to extremes like blocking the TLD, or renaming .zip files
to a different extension (BS we already have to do for the Facebook
Files section on the CoCo forums - most use ".z1p" instead of ".zipfile"
- but it doesn't really matter), or converting a mass of files (and
verifying they still work!) from ZIP to some other format.
It's a pre-optimization step that may or may not even prove necessary.
I personally wouldn't worry about it until or unless we see such a thing
being done "out in the wild". I'm sure if the "hack" is attempted, a fix
for browsers and other such apps will be provided quickly.
Such a fix might already be done or in the works as a result of these
concerns, perhaps.
Something else to consider - the vast majority of people who would
likely be impacted most by such a hack, are probably those who are
already impacted, or have been otherwise compromised by other things in
the past, who likely don't even look at URLs (or even think about them
much), which are mobile (smart phones, tablets) users.
Most people don't use or buy PCs any longer; they do everything mostly
on a phone, or maybe a tablet for "larger stuff"...
I guess I'm just saying let's not be so quick to throw the baby out with
the bathwater, before we even know if the water is really a problem.
Andrew L. Ayers
Glendale, Arizona
phoenixgarage.org
github.com/andrew-ayers
More information about the Coco
mailing list