Public Suffix List
The Public Suffix List (PSL) is a community-maintained list of rules that describe the internet domain name suffixes under which independent organisations can register their own sites. Entries on the list are referred to as effective top-level domains (eTLDs),[1] and contain commonly used suffixes like com, net and co.uk, as well as private suffixes like appspot.com and github.io.
The Mozilla Foundation created the PSL for the security and privacy policies of the Firefox web browser, but it is widely used in many different internet technologies with varying success, under the Mozilla Public License (MPL). The list has been shown to have numerous issues to do with privacy and security, mostly caused by applications using outdated versions.[2]
List
A copy of the list is stored by all modern browsers, including Firefox, Chrome[3] and Opera.[4] They use it for features such as allowing cookie registration, detecting domain names in the address bar and site grouping. It is also used in many other tools such as CURL.[5] Services like Let's Encrypt and Cloudflare are known to use it for per-site rate limiting.[6]
According to Mozilla,[7]
A "public suffix" is one under which Internet users can directly register names. Some examples of public suffixes are ".com", ".co.uk" and "pvt.k12.ma.us".
While com, uk, and us are top-level domains (TLDs), Internet users cannot always register the next level of domain, such as "co.uk" or "wy.us", because these may be controlled by domain registrars. By contrast, users can register second level domains within com, such as example.com, because registrars control only the top level. The Public Suffix List is intended to enumerate all domain suffixes controlled by registrars, as well as those controlled privately such as github.io.[8]
An internet site consists of the online resources which can be controlled by the registrant of a domain name. That includes resources available via the domain and all its sub-domains. Two domains are related if they are in the same site, i.e. they share a suffix that is not included in the Public Suffix List.
Security issues like a same-site attack can arise if the Public Suffix List is incorrect, or if browsers or sites are not properly configured.[9][10]
Some uses for the list are:[11]
- Avoiding "supercookies", HTTP cookies set by related-domain attackers for high-level domain name suffixes. In other words, a page at foo.example.co.uk might normally have access to cookies at bar.example.co.uk, but example.co.uk should be walled off from cookies at example2.co.uk, to prevent a same-site attack, since the latter two domains could be registered by different owners.
- Finding DMARC policy records for email subdomains.
- Highlighting the most important part of a domain name in the user interface.
- Improving the sorting of browser history entries by site.
Issues
The PSL has been seen as a tool for a variety of goals related to security, privacy, usability and resource management which can be in tension with each other, leading to maintenance difficulties and operational challenges.[12][13][14] Ideas for effective approaches such as dbound, HTTP State Tokens and First Party Sets have been explored without consensus yet on good alternatives.[15]
In 2021, privacy enhancements in iOS 14.5 related to Apple's Identifier for Advertisers and unclear guidance from Facebook led to a flood of inappropriate requests for domains to be added to the Public Suffix List.[16][17]
References
- ^ "Public Suffix List - MozillaWiki". wiki.mozilla.org. Retrieved 18 May 2017.
- ^ Sleevi, Ryan (2024-01-22), sleevi/psl-problems, retrieved 2024-03-12
- ^ "364745 - Treat PSL matching consistently across all platforms". bugs.chromium.org. Retrieved 18 May 2017.
- ^ "Cookies and the Public Suffix List". Heroku. 11 October 2013. Retrieved 19 January 2014.
- ^ "PSL in Curl". Daniel Stenberg. 10 January 2024. Retrieved 31 January 2024.
- ^ "Learn more about the Public Suffix List". publicsuffix.org. Retrieved 2024-03-12.
- ^ "Public Suffix List". publicsuffix.org. Retrieved 18 May 2017.
- ^ Murray Kucherawy (13 April 2015). "Additional Background Information for dbound". IETF working group.
The PSL is maintained by a web browser producer and is kept current by volunteers on a best-effort basis. It contains a list of points in the hierarchical namespace at which registrations take place, and is used to identify the boundary between so-called "public" names (below which registrations can occur, such as ".com" or ".org.uk") and the private names (organizational names) that domain registrars create within them.
- ^ Dobberstein, Laura. "Subdomain security is substandard, say security researchers". www.theregister.com. Retrieved 2021-07-04.
- ^ "Can I take Your Subdomain? Exploring Same-Site Attacks in the Modern Web". Can I Take Your Subdomain?. Retrieved 2021-07-04.
- ^ "Learn more about the Public Suffix List". publicsuffix.org. Retrieved 2024-03-12.
- ^ Kumari, Warren; Akkerhuis, Jaap; Fältström, Patrik (2015), "SAC070 - ICANN SSAC Advisory on the Use of Static TLD / Suffix Lists" (PDF), ICANN Security and Stability Advisory Committee (SSAC) Reports and Advisories, p. 32, retrieved 2021-07-05
- ^ "SSAC Advisory on the Use of Static TLD / Suffix Lists | ICANN Features". features.icann.org. Retrieved 2021-07-05.
- ^ Sleevi, Ryan (2021-06-17), sleevi/psl-problems, retrieved 2021-07-04
- ^ Huston, Geoff (2020-09-10). "DNS Query Privacy Revisited | blabs.apnic.net". Retrieved 2021-07-05.
- ^ "Mozilla flooded with requests after Apple privacy changes hit Facebook". BleepingComputer. Retrieved 2021-07-04.
- ^ "New interaction between IOS 14.5 PCM and Facebook Pixel causing increase in PSL inclusion requests · Issue #1245 · publicsuffix/list". GitHub. Retrieved 2021-07-04.