Welcome post: https://lemmy.zip/post/40323214
Voyager change: https://lemmy.dbzer0.com/post/45890744
lemmy.zip doesn't allow users from the UK.
this post was submitted on 05 Jun 2025
125 points (95.6% liked)
Fediverse memes
1431 readers
715 users here now
Memes about the Fediverse.
Rules
General
- Be respectful
- Post on topic
- No bigotry or hate speech
Specific
- We are not YPTB. If you have a problem with the way an instance or community is run, then take it up over at !yepowertrippinbastards@lemmy.dbzer0.com.
- Addendum: Yes we know that you think ml/hexbear/grad are tankies and or .world are a bunch of liberals but it gets old quickly. Try and come up with new material.
Elsewhere in the Fediverse
Other relevant communities:
- !fediverse@lemmy.world
- !yepowertrippinbastards@lemmy.dbzer0.com
- !lemmydrama@lemmy.world
- !fediverselore@lemmy.ca
- !bestofthefediverse@lemmy.ca
- !fedigrow@lemm.ee
founded 8 months ago
MODERATORS
Those users are probably going to go to feddit.uk?
Dunno, I was already here :o) just thought it was worth mentioning in a community on feddit.uk hah.
been on .zip 2 years-- its been great, and @Demigodrick@lemmy.zip is incredible as admin
Yes, the moderation has been great.
Just sometimes the performance has been lacking. Like none of the pages loading and having to wait 15 minutes before they can be accessed again.
Maybe it is because I connect from the middle of Europe or something though.
That's very kind of you ❤️
I still can't take anyone running a .zip TLD seriously. It was bad idea to create it and it's a bad idea to use it.
Is there any PoC of attacks on Lemmy using .zip TLD ? The instance has been up for 2 years, I never heard anything
Targeting Lemmy specifically? probably not, but that's not really the issue. It's not that being a .zip address makes the server vulnerable, it's that the existence of the .zip TLD makes everyone vulnerable:
Surveys by security researchers immediately following public release of domain registration found numerous examples of links and domains registered under .zip being used in phishing attempts, and the ICSS recommended disabling access to .zip domains until "the dust settles and risks can be assessed".
https://en.wikipedia.org/wiki/.zip_(top-level_domain)#Security_concerns
Our findings show that the abuse rate for the .zip TLD is 0.20% which is close to the average compared to all other TLDs. This rate indicates that .zip domain names are not being used to attack users more than the average TLDs - at least for now. However, if attackers find they have better success using .zip than other TLDs, the rates of abuse might change.
Given new TLDs, such as .zip, tend to have a higher abuse rate than legacy and ccTLDs we suggest that the security research community should continue the healthy debate about the potential risks of the .zip TLD and that internet users continue to be weary of downloading and opening files with a .zip extension or TLD from sources or individuals they may not know.
https://dnsrf.org/blog/the--zip-tld---ripe-for-abuse--but-so-far-so-good-/index.html
Choosing to use this TLD basically just screams ignorance, and should be causing users to question the competence of the person who made that choice.
Not sure if that tone is the best for a healthy debate.
Can you explain why, for me? Genuinely curious, I don't understand.
The problem is that .zip conflicts with the very commonly used zip archive format which has caused user confusion - a user might click on what appears to be a URL to www.fakewebsite.zip and instead end up downloading a malicious .zip file. This creates an unnecessary and entirely avoidable security risk.
Google opened registration for the .zip and .mov top-level domains to the general public on May 3, 2023. Its release was immediately met with condemnation from cyber security experts as a result of its similarity with the file format of the same name. Malwarebytes warned against the use of already recognizable filenames and their confusion with top-level domains, as "plenty of users already have a clear idea that .zip means something completely different". Experts cautioned against their use, and noted that the use of .zip filetypes in cybercrime had had "an explosion" in recent years. Cisco warned against the potential for leaks for personal identifying information. Researchers also registered similar concern about Google's .mov domain.
Surveys by security researchers immediately following public release of domain registration found numerous examples of links and domains registered under .zip being used in phishing attempts, and the ICSS recommended disabling access to .zip domains until "the dust settles and risks can be assessed".
https://en.wikipedia.org/wiki/.zip_(top-level_domain)#Security_concerns
Choosing to use this TLD basically just screams ignorance, and should be causing users to question the competence of the person who made that choice.
Our findings show that the abuse rate for the .zip TLD is 0.20% which is close to the average compared to all other TLDs. This rate indicates that .zip domain names are not being used to attack users more than the average TLDs - at least for now. However, if attackers find they have better success using .zip than other TLDs, the rates of abuse might change.
Given new TLDs, such as .zip, tend to have a higher abuse rate than legacy and ccTLDs we suggest that the security research community should continue the healthy debate about the potential risks of the .zip TLD and that internet users continue to be weary of downloading and opening files with a .zip extension or TLD from sources or individuals they may not know.
https://dnsrf.org/blog/the--zip-tld---ripe-for-abuse--but-so-far-so-good-/index.html
Choosing to use this TLD basically just screams ignorance, and should be causing users to question the competence of the person who made that choice.
Not sure if that tone is the best for a healthy debate.
Right, ok, so the problem with having a debate on this subject is that there's no reason for this risk to exist at all. There's no good reason to have a .zip TLD, there was no need for it, it should not have been created and no one should use it.
If you're weighing pros and cons, there are exactly 0 pros. Therefore no matter how minor you think the cons are, they outweigh 0 pros by 100%.
Also, "nothing bad has happened yet" is not a valid argument and is a terrible basis for making risk decisions.
I see your perspective, but is there any similar instance that is not Lemmy.zip?
From another post
Lemmy.world is too big
sh.itjust.works names contains "shit", which can deter users
lemmy.ca is Canadian-centric
feddit.org, is German-centric, but technically English speaking too
dbzer0 is topic focused
programming.dev is topic-centric
blahaj is queer-focused
discuss.tchncs.de has a difficult name
lemmy.sdf.org does not defederate anyone
beehaw defederates LW and SJW
infosec.pub is topic-centric
aussie.zone is country-centric
midwest.social is region-centric
https://lemmy.dbzer0.com/post/37336391?scrollToComments=true
'This bridge is literally held together with duct tape, but it hasn't killed anyone yet!'
I'm with you, unecessary risk. Thank you for the explanations.
You guys are making me feel left out :(
Can you recommend an instance with a federation policy as wide as lemm.ee? Lemmy.zip, for instance, does not federate with hexbear, right?
We do federate with HB at .zip. No defederations from major instances.
take a peek at lemmy.sdf.org
Both list of blocked instances are in the body of this post
Lemm.ee federates HB, and lemmy.zip does too.
Feddit.uk is pretty good for this. I think our defed list is pretty minimal.
lemm.ee refugee here. I was considering piefed, but photon didn't support it.
Now that the API is there, hopefully it will in the future
Im currently usong boost with .ee, but i think support for that stopped too? Im going to have to change clients and instances