[mooman219]

> Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

Yes? When you hover the first link the browser says "v1271.zip", and when you hover the second link it says "https://github.com/kubernetes/kubernetes/archive/refs/tags/v..."

You don't even need a .zip domain to do this, just assign a misleading link i.e. [google.com](badsite.com). If the argument is going to be no one looks at the on hover link preview, then why bother even paying for a .zip domain in the first place? Going further, you can also just buy a similar domain to confuse people, which might even work better than buying the .zip since then you _might_ even catch careful people that glance at the on hover preview.

[catiopatio]

If I copy and paste the malicious URL into the terminal, or the browser’s location field, there’s no indication that it’s anything but what it appears to be.

Of course, there’s nothing unique about `.zip` other than that it’s a common file extension. Any TLD that makes for a convincing file extension could be used this way.

[adhesive_wombat]

Maybe we should have the .exe TLD to make every URL using it look immediately suspicious.

Sorta like https://verylegit.link but built into the whole TLD.

[cuttysnark]

Hovering the link to preview its location in the status bar reveals the trick because the browser doesn't see any real slashes. The anchor's href (when inspected) actually does have the full bogus URL, but when hovered we're shown the browser-evaluated URL—which is a TIL.