example: google.com -> http://www.5z8.info/dogs-being-eaten_x2r3rq_5waystokillwitha...
Which is safe and wonderful and which is dangerous?
https://irc.verylegit.link/0x8c*download()194mobiads(windows... is supposed to redirect to Facebook, and it does if you use HTTP. However, over HTTPS Firefox just gives me a very generic "Secure Connection Failed" message. (Chrome is rather more helpful, giving me "ERR_CONNECTION_CLOSED".)
Edit: Although it appears Hacker News decided to mangle this link that I posted. Apparently it's not happy about mismatched parenthesis in links. Why HN wants to try to match parenthesis in links... that's a good question.
Note the second line, "The connection to irc.verylegit.link was interrupted while the page was loading." Does that show up for you?
But yeah I noticed this trend too in browsers, it's getting harder to get to the technical bits every time they try to make these warnings more user friendly. I usually switch to openssl s_client in a terminal at this point.
I've been aware of it since Linus Torvalds pointed out that so called "ux-improvements" were actually ux problems back in gnome 2.
UX-ers here (hopefully there must be a few ones from Google and Mozilla here): please help stop this long trend of dumbification. I'm not asking you to make it like bash and vim just to stop hiding menus, removing settings etc etc.
This is one of only HTTPS errors that you aren't required to click through to uncover the details of the error—the connection is being shut down.
And yes, there are users who click on executables carelessly, but those aren't scared by url-parts.
Exe-files has much bigger impact and can be run through emulation on non-Windows systems.
I'd say exe is a much better choice.
How does it work?
Due to rapid advancement in dark ritual technology,
the programming community has streamlined the
Development and deployment of unspeakable
Using robust open-source libraries like a sack of
live geese, websites like this one can be
developed with far more efficient sacrificial
rituals than ever before.
We're still stuck on the version with
really inefficient sacrifical rituals
though, due to comp͆aͭatib̊i̼͕l̈̿i̮̜t̚y̅ ͊i͋s̾s̢͈͠u̶e̛̊s̼̃.
and get a Corrupted Content Error (edit: under Firefox)
That might even be useful when posting links to HN.
So, there's that.
(DNSMasq, router-based blocklist.)
My router doesn't have sufficient resources to list individual hosts, particularly where widespread abuse is found. Plus it's just too much fucking work.
BlueCoat Security (now part of Symantec) have been publishing a "Shady TLD series".
Basically: to 2-3 nines, these TLDs are nothing but trouble. If they can't clean up their own acts, fuck 'em.
And let that be warning to other TLD registrars.
This being an assessment based on local awareness of circumstances.
Risk. Reward. Administrative cost.
The first of these I blocked when I looked at the domain and realised that the TLD were registering any old line noise. I'm not going to bother sorting that. Search for other experience turned up Blue Coat.
I subscribe to blocklists, and they update periodically. There are other levels of protection.
When a TLD is 99.9% malware or scams, it's far easier to block it outright. Registrars should take responsibility for what they're registering. Not my problem.
Of course I also have a .com but it's not linked up to the .rocks because I'm lazy
Regarding the advice, personally I think the advice is bogus. A lot of Mastodon instances have started legitimately using unconventional newTLDs. And I seem to see more URI shorteners, .com and .ru in spam than all the newTLDs put together (zero, from a hacked site, costs less than free). Country K-lining, while attractive to the lazy network operator, only works as an extreme temporary measure in a crisis - spammers adapt, but blocklists tend to only grow. And perhaps Symantec, given their business dealings with Verisign, might not be a 100% neutral party in making recommendations seemingly targeted primarily at severely disrupting the present and future business of cheaply-available TLDs?
Regarding Blue Coat, research shows Blue Coat devices are also used in the censorship/mass surveillance programmes of: Russia, UAE, Bahrain, Iran, and even China. Please also remember Blue Coat devices intercept, log and parse near-everything that goes through them. That puts them at a significantly elevated security risk above a network which didn't have them at all. I know I would find it unethical to report any vulnerabilities to that vendor, and I know I am not the only one who thinks so. And middleboxes like that are incredibly frustrating to the interoperability of the internet and present probably the single biggest hurdle to progress in internet protocols - ask someone in the IETF TLS Working Group currently working on TLS 1.3 just exactly what they think of them!
The federated structure of Mastodon means that, so long as I'm accessing toots via my host instances, the source of the toots doesn't matter. That plumbing is managed by the instances, not my local network gateway.
(If I were locally hosting, the situation would be different.)
Punching holes as needed would be another alternative.
I'm aware of the various arguments in favour, and opposed to, various forms of security blocking or not. I've participated in those discussions for most of the past 30 years. There are times when the onslaught simply becomes sufficiently excessive that measures need to be taken.
DNS namespace is large. I'm not going to independently add every last damned host, or domain, by hand. And even with blocklist subscriptions, the overhead is substantial.
I suspect this is a situation which may come to a head in the not-too-distant future, though timing such matters is difficult. The consolidation of much Web activity to a relatively small number of sites already reflects this in part.
My set (dnsmasq format):
# Shady TLDs (see BlueCoat)
$ host i.am.the.top
i.am.the.top has address 0.0.0.0
Mind that if I want to access a site, I can do so by using one of several proxies. E.g., archive.is or the like.
The blocks are, in that sense, soft, but strongly advisory.
I'm also increasingly blocking just straight-up shit sites, as well as a large number of advertising and monitoring sites, via standard blocklists (mostly based off uBlock / uMatrix's lists).
> so how are pointless jokey links tolerated?
This is a small technical project. It requires some minimal level of technical abilities. A variation of this may be useful. (But I can't think any useful variation now.)
So I think it's a good submission, perhaps to get 50-100 points, and a #20 in the front page. I think that 250 points and the #1 in the front page is too much, but whatever.
[not a quote] So a page with a funny domain with a static text that says "YES" or "NO" is a good submission?
Nah. This is has a very low level of technical content. But if the text is determined by the blockchain, or user votes, a sensor, or something it may be good enough. But it would be better to submit a blog post explaining the projects.
My thoughts are, why should the the "obviously dodgy looking" link be any more risky than a bit.ly shortened one. Bit.ly is not coming out and saying "I'm shady", but other than that you have no idea what's on the other end
(I'd argue most people don't know about the + on the end reveal).
I'd have no qualms clicking on it, because my browser and I can handle suspicious websites. (Especially ones ending pdf.)
Something that would give pause would be:
I would think...wait a minute... I probably wouldn't click this example.
If this seemed suspicious to the people you're talking about, nobody would start a letter to them with the words, " Please permit me to make your acquaintance in so informal a manner. This is necessitated by my urgent need to reach a dependable and trust wordy foreign partner. This request may seem strange and unsolicited but I will crave your indulgence and pray that you view it seriously. " (I found this example online.)
So, I simply disagree that the example produced looks suspicious. It looks fine.
Further, I wouldn't even think twice before clicking it. The example I quoted simply doesn't look suspicious. (Because pdf is a 'safe' filetype.) I don't think it would give the average Internet user pause, either.
You can open PDF files in Chrome. Even malicious ones. It's okay.