On May 3rd 2023, Google launched the .ZIP top-level domain among a handful of other TLDs such as .dad, .esq, .prof and so on.
And then the world went nuts about it.
What is clear, the .ZIP domain may well facilitate scams that try to confuse people into clicking on links that appear legitimate, I would expect that such people will click on links no matter what.
The below is an example of a URL that appears benign but would take you to v1.27.1.zip.
https://github.com/kubernetes/kubernetes/archive/refs/tags/@v1.27.1.zip
The fact is that attackers will use various means to confuse people – be that a .ZIP domain, encoding URLs, shortening URLs (nobody ever talks them up) and so on.
I actually think Eric Lawrence (Microsoft Edge team member) is fairly accurate insofar that it’s a lot of bluff and bluster; what needs to come is techniques in the browsers to support people who cannot work out if a URL is legitimate or not, layers to prevent malicious payloads from being downloaded and so on.
Let’s face it, the people who will click on such links and become infected probably don’t patch software regularly anyway and are exposed to dangers on the Internet whether .ZIP exists or not.
This domain exists because I am a CISO, interested in cyber security and because it was available!