Public Suffix List

Last updated

The Public Suffix List (PSL) is a community-maintained list of rules that describe the internet domain name suffixes under which independent organisations can register their own sites. Entries on the list are referred to as effective top-level domains (eTLDs) [1] , and contain commonly used suffixes like com, net and co.uk, as well as private suffixes like appspot.com and github.io.

Contents

The Mozilla Foundation created the PSL for the security and privacy policies of the Firefox web browser, but it is widely used in many different internet technologies with varying success, under the Mozilla Public License (MPL). The list has been shown to have numerous issues to do with privacy and security, mostly caused by applications using outdated versions [2] .

List

A copy of the list is stored by all modern browsers, including Firefox, Chrome [3] and Opera [4] . They use it for features such as allowing cookie registration, detecting domain names in the address bar and site grouping. It is also used in many other tools such as CURL [5] . Services like Let's Encrypt and Cloudflare are known to use it for per-site rate limiting [6] .

According to Mozilla, [7]

A "public suffix" is one under which Internet users can directly register names. Some examples of public suffixes are ".com", ".co.uk" and "pvt.k12.ma.us".

While com, uk, and us are top-level domains (TLDs), Internet users cannot always register the next level of domain, such as "co.uk" or "wy.us", because these may be controlled by domain registrars. By contrast, users can register second level domains within com, such as example.com, because registrars control only the top level. The Public Suffix List is intended to enumerate all domain suffixes controlled by registrars, as well as those controlled privately such as github.io. [8]

An internet site consists of the online resources which can be controlled by the registrant of a domain name. That includes resources available via the domain and all its sub-domains. Two domains are related if they are in the same site, i.e. they share a suffix that is not included in the Public Suffix List.

Security issues like a same-site attack can arise if the Public Suffix List is incorrect, or if browsers or sites are not properly configured. [9] [10]

Some uses for the list are [11] :

Issues

The PSL has been seen as a tool for a variety of goals related to security, privacy, usability and resource management which can be in tension with each other, leading to maintenance difficulties and operational challenges. [12] [13] [14] Ideas for effective approaches such as dbound, HTTP State Tokens and First Party Sets have been explored without consensus yet on good alternatives. [15]

In 2021, privacy enhancements in iOS 14.5 related to Apple's Identifier for Advertisers and unclear guidance from Facebook led to a flood of inappropriate requests for domains to be added to the Public Suffix List. [16] [17]

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last non empty label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is .com. Responsibility for management of most top-level domains is delegated to specific organizations by the ICANN, an Internet multi-stakeholder community, which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

<span class="mw-page-title-main">Domain name</span> Identification string in the Internet

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As of December 2023, 359.8 million domain names had been registered. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.

<span class="mw-page-title-main">.org</span> Generic top-level domain

The domain name .org is a generic top-level domain (gTLD) of the Domain Name System (DNS) used on the Internet. The name is truncated from 'organization'. It was one of the original domains established in 1985, and has been operated by the Public Interest Registry since 2003. The domain was originally "intended as the miscellaneous TLD for organizations that didn't fit anywhere else." It is commonly used by non-profit organizations, open-source projects, and communities, but is an open domain that can be used by anyone. The number of registered domains in .org has increased from fewer than one million in the 1990s, to ten million in 2012, and held steady between ten and eleven million since then.

A domain name registrar is a company that manages the reservation of Internet domain names. A domain name registrar must be accredited by a generic top-level domain (gTLD) registry or a country code top-level domain (ccTLD) registry. A registrar operates in accordance with the guidelines of the designated domain name registries.

Site Finder was a wildcard DNS record for all .com and .net unregistered domain names, run by .com and .net top-level domain operator VeriSign between 15 September 2003 and 4 October 2003.

.museum is a sponsored top-level domain (sTLD) in the Domain Name System of the Internet used exclusively by museums, museum associations, and individual members of the museum profession, as these groups are defined by the International Council of Museums (ICOM).

<span class="mw-page-title-main">.ee</span> Internet country code top-level domain for Estonia

.ee is the internet country code top-level domain (ccTLD) of Estonia, operated by the Estonian Internet Foundation.

<span class="mw-page-title-main">.nu</span> Internet country code top-level domain for the island state of Niue

.nu is the Internet country code top-level domain (ccTLD) assigned to the island state of Niue. It was one of the first ccTLDs to be marketed to the Internet at large as an alternative to the gTLDs .com, .net, and .org. Playing on the phonetic similarity between nu and new in English, and the fact that nu means "now" in several northern European languages, it was promoted as a new TLD with an abundance of good domain names available. The .nu domain is now controlled by the Internet Foundation in Sweden amid opposition from the government of Niue.

A country code top-level domain (ccTLD) is an Internet top-level domain generally used or reserved for a country, sovereign state, or dependent territory identified with a country code. All ASCII ccTLD identifiers are two letters long, and all two-letter top-level domains are ccTLDs.

<span class="mw-page-title-main">.bd</span> Internet country code top-level domain for Bangladesh

.bd is the Internet country code top-level domain (ccTLD) for Bangladesh. It is administered by the Ministry of Posts, Telecommunications and Information Technology. Registrations are at the third level beneath several second-level labels, paralleling the oldest gTLDs; registration is open except in the gov and mil subdomains, which are limited to authorized entities in the Bangladesh government. Though online registration available, currently BTCL only allowing Second-level domain registration of .bd domain for only Bangladeshi citizens. Means, It only allows the structure of websites like - example.com.bd, example2.com.bd. example3.com.bd; but not like - example.bd, example2.bd, example3.bd.

<span class="mw-page-title-main">.cc</span> Internet country-code top level domain for the Cocos Islands

On the Internet, .cc is the country code top-level domain (ccTLD) for the Cocos (Keeling) Islands, an Australian territory. It is administered by a United States company, VeriSign, through a subsidiary company, eNIC, which promotes it for international registration as "the next .com". The .cc domain was originally assigned to eNIC in October 1997 by the IANA; eNIC manages the TLD alongside SamsDirect Internet.

<span class="mw-page-title-main">.tw</span> Internet country-code top-level domain for Taiwan

.tw is the Internet country code top-level domain (ccTLD) for Taiwan. The domain name is based on the ISO 3166-1 alpha-2 country code TW. The registry is maintained by the Taiwan Network Information Center (TWNIC), a Taiwanese non-profit organization appointed by the National Communications Commission (NCC) and the Ministry of Transportation and Communication. Since 1 March 2001, TWNIC has stopped allowing itself to sign up new domain names directly, instead allowing new registration through its contracted reseller registrars. As of May 2023, there are 17 registrars.

In the Domain Name System (DNS) hierarchy, a second-level domain is a domain that is directly below a top-level domain (TLD). For example, in example.com, example is the second-level domain of the .com TLD.

WHOIS is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

<span class="mw-page-title-main">.рф</span> Cyrillic Internet country code top-level domain for the Russian Federation

The domain name .рф is the Cyrillic country code top-level domain for the Russian Federation, in the Domain Name System of the Internet. In the Domain Name System it has the ASCII DNS name xn--p1ai. The domain accepts only Cyrillic subdomain applications, and is the first Cyrillic implementation of the Internationalizing Domain Names in Applications (IDNA) system. The domain became operational on 13 May 2010. As of 2014 it is the most used internationalized country code top-level domain, with around 900,000 domain names.

The CookieMonster attack is a man-in-the-middle exploit where a third party can gain HTTPS cookie data when the "Encrypted Sessions Only" property is not properly set. This could allow access to sites with sensitive personal or financial information.

HTTPS Everywhere is a discontinued free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which was developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. The option "Encrypt All Sites Eligible" makes it possible to block and unblock all non-HTTPS browser connections with one click. Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023.

An emoji domain is a domain name with one or more emoji in it, for example 😉.tld.

References

  1. "Public Suffix List - MozillaWiki". wiki.mozilla.org. Retrieved 18 May 2017.
  2. Sleevi, Ryan (2024-01-22), sleevi/psl-problems , retrieved 2024-03-12
  3. "364745 - Treat PSL matching consistently across all platforms". bugs.chromium.org. Retrieved 18 May 2017.
  4. "Cookies and the Public Suffix List". Heroku. 11 October 2013. Retrieved 19 January 2014.
  5. "PSL in Curl". Daniel Stenberg. 10 January 2024. Retrieved 31 January 2024.
  6. "Learn more about the Public Suffix List". publicsuffix.org. Retrieved 2024-03-12.
  7. "Public Suffix List". publicsuffix.org. Retrieved 18 May 2017.
  8. Murray Kucherawy (13 April 2015). "Additional Background Information for dbound". IETF working group. The PSL is maintained by a web browser producer and is kept current by volunteers on a best-effort basis. It contains a list of points in the hierarchical namespace at which registrations take place, and is used to identify the boundary between so-called "public" names (below which registrations can occur, such as ".com" or ".org.uk") and the private names (organizational names) that domain registrars create within them.
  9. Dobberstein, Laura. "Subdomain security is substandard, say security researchers". www.theregister.com. Retrieved 2021-07-04.
  10. "Can I take Your Subdomain? Exploring Same-Site Attacks in the Modern Web". Can I Take Your Subdomain?. Retrieved 2021-07-04.
  11. "Learn more about the Public Suffix List". publicsuffix.org. Retrieved 2024-03-12.
  12. Kumari, Warren; Akkerhuis, Jaap; Fältström, Patrik (2015), "SAC070 - ICANN SSAC Advisory on the Use of Static TLD / Suffix Lists" (PDF), ICANN Security and Stability Advisory Committee (SSAC) Reports and Advisories, p. 32, retrieved 2021-07-05
  13. "SSAC Advisory on the Use of Static TLD / Suffix Lists | ICANN Features". features.icann.org. Retrieved 2021-07-05.
  14. Sleevi, Ryan (2021-06-17), sleevi/psl-problems , retrieved 2021-07-04
  15. Huston, Geoff (2020-09-10). "DNS Query Privacy Revisited | blabs.apnic.net" . Retrieved 2021-07-05.
  16. "Mozilla flooded with requests after Apple privacy changes hit Facebook". BleepingComputer. Retrieved 2021-07-04.
  17. "New interaction between IOS 14.5 PCM and Facebook Pixel causing increase in PSL inclusion requests · Issue #1245 · publicsuffix/list". GitHub. Retrieved 2021-07-04.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.