Public Suffix List

Last updated

The Public Suffix List (PSL) is a community-maintained list of rules that describe the internet domain name suffixes under which independent organisations can register their own sites. Entries on the list are referred to as effective top-level domains (eTLDs), [1] and contain commonly used suffixes like com, net and co.uk, as well as private suffixes like appspot.com and github.io.

Contents

The Mozilla Foundation created the PSL for the security and privacy policies of the Firefox web browser, but it is widely used in many different internet technologies with varying success, under the Mozilla Public License (MPL). The list has been shown to have numerous issues to do with privacy and security, mostly caused by applications using outdated versions. [2]

List

A copy of the list is stored by all modern browsers, including Firefox, Chrome [3] and Opera. [4] They use it for features such as allowing cookie registration, detecting domain names in the address bar and site grouping. It is also used in many other tools such as CURL. [5] Services like Let's Encrypt and Cloudflare are known to use it for per-site rate limiting. [6]

According to Mozilla, [7]

A "public suffix" is one under which Internet users can directly register names. Some examples of public suffixes are ".com", ".co.uk" and "pvt.k12.ma.us".

While com, uk, and us are top-level domains (TLDs), Internet users cannot always register the next level of domain, such as "co.uk" or "wy.us", because these may be controlled by domain registrars. By contrast, users can register second level domains within com, such as example.com, because registrars control only the top level. The Public Suffix List is intended to enumerate all domain suffixes controlled by registrars, as well as those controlled privately such as github.io. [8]

An internet site consists of the online resources which can be controlled by the registrant of a domain name. That includes resources available via the domain and all its sub-domains. Two domains are related if they are in the same site, i.e. they share a suffix that is not included in the Public Suffix List.

Security issues like a same-site attack can arise if the Public Suffix List is incorrect, or if browsers or sites are not properly configured. [9] [10]

Some uses for the list are: [11]

Issues

The PSL has been seen as a tool for a variety of goals related to security, privacy, usability and resource management which can be in tension with each other, leading to maintenance difficulties and operational challenges. [12] [13] [14] Ideas for effective approaches such as dbound, HTTP State Tokens and First Party Sets have been explored without consensus yet on good alternatives. [15]

In 2021, privacy enhancements in iOS 14.5 related to Apple's Identifier for Advertisers and unclear guidance from Facebook led to a flood of inappropriate requests for domains to be added to the Public Suffix List. [16] [17]

Usage

The Public Suffix List is used by many companies such as Cloudflare, Google and Vercel.

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last non-empty label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is .com. Responsibility for management of most top-level domains is delegated to specific organizations by the ICANN, an Internet multi-stakeholder community, which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

<span class="mw-page-title-main">Domain name</span> Identification string in the Internet

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

<span class="mw-page-title-main">.org</span> Generic top-level domain

The domain name .org is a generic top-level domain (gTLD) of the Domain Name System (DNS) used on the Internet. The name is truncated from 'organization'. It was one of the original domains established in 1985, and has been operated by the Public Interest Registry since 2003. The domain was originally "intended as the miscellaneous TLD for organizations that didn't fit anywhere else". It is commonly used by non-profit organizations, open-source projects, and communities, but is an open domain that can be used by anyone. The number of registered domains in .org has increased from fewer than one million in the 1990s, to ten million in 2012, and held steady between ten and eleven million since then.

Site Finder was a wildcard DNS record for all .com and .net unregistered domain names, run by .com and .net top-level domain operator VeriSign between 15 September 2003 and 4 October 2003.

<span class="mw-page-title-main">.jobs</span> Sponsored top-level Internet domain for use by the human resource management community

.jobs is a sponsored top-level domain (sTLD) in the Domain Name System of the Internet. As indicated by its name, the domain is restricted to employment-related sites.

The internationalized domain name (IDN) homoglyph attack is a method used by malicious parties to deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike. For example, the Cyrillic, Greek and Latin alphabets each have a letter ⟨o⟩ that has the same shape but represents different sounds or phonemes in their respective writing systems.

In the Domain Name System (DNS) hierarchy, a second-level domain is a domain that is directly below a top-level domain (TLD). For example, in example.com, example is the second-level domain of the .com TLD.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

<span class="mw-page-title-main">.рф</span> Cyrillic Internet country code top-level domain for the Russian Federation

The domain name .рф is the Cyrillic country code top-level domain for the Russian Federation, in the Domain Name System of the Internet. In the Domain Name System it has the ASCII DNS name xn--p1ai. The domain accepts only Cyrillic subdomain applications, and is the first Cyrillic implementation of the Internationalizing Domain Names in Applications (IDNA) system. The domain became operational on 13 May 2010. As of 2014 it is the most used internationalized country code top-level domain, with around 900,000 domain names.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

HTTPS Everywhere is a discontinued free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which was developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. The option "Encrypt All Sites Eligible" makes it possible to block and unblock all non-HTTPS browser connections with one click. Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023.

<span class="mw-page-title-main">.top</span> Generic top-level Internet domain

.top is a generic top-level domain, officially delegated in ICANN's new gTLD program on August 4, 2014.

An emoji domain is a domain name with one or more emoji in it, for example 😉.tld.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.

References

  1. "Public Suffix List - MozillaWiki". wiki.mozilla.org. Retrieved 18 May 2017.
  2. Sleevi, Ryan (2024-01-22), sleevi/psl-problems , retrieved 2024-03-12
  3. "364745 - Treat PSL matching consistently across all platforms". bugs.chromium.org. Retrieved 18 May 2017.
  4. "Cookies and the Public Suffix List". Heroku. 11 October 2013. Retrieved 19 January 2014.
  5. "PSL in Curl". Daniel Stenberg. 10 January 2024. Retrieved 31 January 2024.
  6. "Learn more about the Public Suffix List". publicsuffix.org. Retrieved 2024-03-12.
  7. "Public Suffix List". publicsuffix.org. Retrieved 18 May 2017.
  8. Murray Kucherawy (13 April 2015). "Additional Background Information for dbound". IETF working group. The PSL is maintained by a web browser producer and is kept current by volunteers on a best-effort basis. It contains a list of points in the hierarchical namespace at which registrations take place, and is used to identify the boundary between so-called "public" names (below which registrations can occur, such as ".com" or ".org.uk") and the private names (organizational names) that domain registrars create within them.
  9. Dobberstein, Laura. "Subdomain security is substandard, say security researchers". www.theregister.com. Retrieved 2021-07-04.
  10. "Can I take Your Subdomain? Exploring Same-Site Attacks in the Modern Web". Can I Take Your Subdomain?. Retrieved 2021-07-04.
  11. "Learn more about the Public Suffix List". publicsuffix.org. Retrieved 2024-03-12.
  12. Kumari, Warren; Akkerhuis, Jaap; Fältström, Patrik (2015), "SAC070 - ICANN SSAC Advisory on the Use of Static TLD / Suffix Lists" (PDF), ICANN Security and Stability Advisory Committee (SSAC) Reports and Advisories, p. 32, retrieved 2021-07-05
  13. "SSAC Advisory on the Use of Static TLD / Suffix Lists | ICANN Features". features.icann.org. Retrieved 2021-07-05.
  14. Sleevi, Ryan (2021-06-17), sleevi/psl-problems , retrieved 2021-07-04
  15. Huston, Geoff (2020-09-10). "DNS Query Privacy Revisited | blabs.apnic.net" . Retrieved 2021-07-05.
  16. "Mozilla flooded with requests after Apple privacy changes hit Facebook". BleepingComputer. Retrieved 2021-07-04.
  17. "New interaction between IOS 14.5 PCM and Facebook Pixel causing increase in PSL inclusion requests · Issue #1245 · publicsuffix/list". GitHub. Retrieved 2021-07-04.
  18. "Add a site". Add a site - Cloudflare Fundamentals docs. Retrieved 2024-12-19.{{cite web}}: CS1 maint: url-status (link)
  19. "net/base/registry_controlled_domains/effective_tld_names.dat - chromium/src - Git at Google". chromium.googlesource.com. Retrieved 2024-12-19.
  20. "gecko-dev/netwerk/dns/effective_tld_names.dat at master · mozilla/gecko-dev". GitHub. Retrieved 2024-12-19.
  21. Rumzan, Ismael. "Can I set a cookie from my Vercel subdomain to Vercel.app?". vercel.com. Retrieved 2024-12-19.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.