Nothing seems more legit than a zip file from a random site. I am grateful that it did not contain any executable file, but I think pdf files also can spread viruses.
There seems to be no need for ZIP. There seems to be no need for PDFs in it. Everything that is in PDF most likely could be presented by webpage/HTML/etc. Therefore yes, I complain that the files are compressed.
The need of downloading anything might be the point of that game, but people spreading viruses also like playing that way.
>I trust my unzip utility and my pdf viewer just as much as I trust my browser.
The parent commenter is suggesting the random file may be malicious, not that their unzip utility or pdf viewer is untrustworthy.
They are further suggesting that the data contained within the zip could be distributed in a fashion that is less commonly weaponized (PDF is a common attack vector, zip is a common obfuscation method).
>I might have agreed with you 15 years ago, back in the age of antivirus and such.
What does this even mean? You still need antivirus today.
All I use is an adblocker and I've not dealt with malware in over a decade. Turns out if you stay away from shady places on the Web and don't click everything shoved in your face, you can keep a clean machine.
Meanwhile, I know plenty of people WITH antivirus and other shit with utterly compromised and slow shit. We can blame the user behavior instead of the antivirus, naturally, but how do we know the AV is protecting the user and not luring them into a sense of security so that they do risky things?
> The need of downloading anything might be the point of that game, but people spreading viruses also like playing that way.
I think that you underestimate the capabilities of modern malware, and overestimate the capabilities of the average lazy person.
Modern malware doesn't need this "download and execute" flow to activate. It exploits vulnerabilities in browsers and browser components to achieve arbitrary code execution. One click required (the one that leads you to the malware) [1].
A malware flow with manual downloading that leaves persistent breadcrumbs on your computer has more opportunities where a "real-time protection" antivirus can detect and stop the threat, so it's no longer the norm outside email attachments.
If we're really going to do this right, then Smoke Signals are the way.
We take the 1s and 0s and encrypt them into different 1s and 0s to obfuscate. ;)
A random site with "just html" has the possibility as well to "spread viruses" with a unknown zero-day with for example a image handling exploit, or a novel sort of ram rewriting attack.
If you really care about "casual usability of things that can spread viruses" in your security model, you would actually prefer documents in PDF format and running them thru Qubes sanitizing conversion appvm.
Both Chromium and Firefox also have built-in PDF readers that run in the browser sandbox so you can read PDFs with no more attack surface than the webpage that you downloaded them from has access to. Of course a separate VM is going to be even more secure but it is a much bigger step for the average user.
It all depends on your Operations Security model. For some people it's more important for things to be available and convenient that for them to be secure.
For the average user, I would say malware running under the browser sandbox within a domain context is game over, assuming for example malware under your webmail or bank page domain.
> If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.
Each browser tab and cross-origin iframe is its own process sandbox. Web security operates on domain boundaries.
If your webmail provider or bank is serving malware or user generated content under the same origin as the frontend, they have self-owned beyond the browser’s capacity to help.
> A random site with "just html" has the possibility as well to "spread viruses" with a unknown zero-day with for example a image handling exploit, or a novel sort of ram rewriting attack.
Technically possible, but the vast majority of sites that can get you infected just by viewing them depend on JS. I'd much sooner trust an HTML document than a PDF file from some random website.
