Table of Contents Categories
  Encyclosphere.org ENCYCLOREADER
  supported by EncyclosphereKSF

Public Suffix List

From HandWiki - Reading time: 4 min

Short description: Catalog of Internet domain names

The Public Suffix List (PSL) is a catalog of certain Internet domain names. Entries on the list are also referred to as effective top-level domains (eTLD).[1] The Mozilla Foundation initiated the suffix list for the security and privacy policies of its Firefox web browser, but it is widely applied, with varying success, to a variety of other purposes under the Mozilla Public License (MPL).

List

The list is used by Mozilla browsers (Firefox), by Google in Chrome and Chromium projects on certain platforms,[2], by Opera.[3] and cURL since version 7.46.0[4]

According to Mozilla,[5]

A "public suffix" is one under which Internet users can directly register names. Some examples of public suffixes are ".com", ".co.uk" and "pvt.k12.ma.us".

While com, uk, and us are top-level domains (TLDs), Internet users cannot always register the next level of domain, such as "co.uk" or "wy.us", because these may be controlled by domain registrars. By contrast, users can register second level domains within com, such as example.com, because registrars control only the top level. The Public Suffix List is intended to enumerate all domain suffixes controlled by registrars.[6]

An internet site consists of the online resources which can be controlled by the registrant of a domain name. That includes resources available via the domain and all its sub-domains. Two domains are related if they are in the same site, i.e. they share a suffix that is not included in the Public Suffix List.

Security issues like a same-site attack can arise if the Public Suffix List is incorrect, or if browsers or sites are not properly configured.[7][8]

Some uses for the list are:

  • Avoiding "supercookies", HTTP cookies set by related-domain attackers for high-level domain name suffixes. In other words, a page at foo.example.co.uk might normally have access to cookies at bar.example2.co.uk, but example.co.uk should be walled off from cookies at example2.co.uk, to prevent a same-site attack, since the latter two domains could be registered by different owners.
  • Finding DMARC policy records for email subdomains.
  • Highlighting the most important part of a domain name in the user interface.
  • Improving the sorting of browser history entries by site.

Issues

The PSL has been seen as a tool for a variety of goals related to security, privacy, usability and resource management which can be in tension with each other, leading to maintenance difficulties and operational challenges.[9][10][11] Ideas for effective approaches such as dbound, HTTP State Tokens and First Party Sets have been explored without consensus yet on good alternatives.[12]

In 2021, privacy enhancements in iOS 14.5 related to Apple's Identifier for Advertisers and unclear guidance from Facebook led to a flood of inappropriate requests for domains to be added to the Public Suffix List.[13][14]

References

  1. "Public Suffix List - MozillaWiki". https://wiki.mozilla.org/Gecko:Effective_TLD_List. Retrieved 18 May 2017. 
  2. "364745 - Treat PSL matching consistently across all platforms". https://bugs.chromium.org/p/chromium/issues/detail?id=364745. Retrieved 18 May 2017. 
  3. "Cookies and the Public Suffix List". Heroku. 11 October 2013. https://devcenter.heroku.com/articles/cookies-and-herokuapp-com. Retrieved 19 January 2014. 
  4. "PSL in Curl". Daniel Stenberg. 10 January 2024. https://daniel.haxx.se/blog/2024/01/10/psl-in-curl/. Retrieved 31 January 2024. 
  5. "Public Suffix List". http://publicsuffix.org/. Retrieved 18 May 2017. 
  6. Murray Kucherawy (13 April 2015). "Additional Background Information for dbound". IETF working group. https://trac.ietf.org/trac/dbound/wiki/AdditionalBackgroundInformation. "The PSL is maintained by a web browser producer and is kept current by volunteers on a best-effort basis. It contains a list of points in the hierarchical namespace at which registrations take place, and is used to identify the boundary between so-called "public" names (below which registrations can occur, such as ".com" or ".org.uk") and the private names (organizational names) that domain registrars create within them." 
  7. Dobberstein, Laura. "Subdomain security is substandard, say security researchers" (in en). https://www.theregister.com/2021/06/30/subdomain_vulnerabiilties/. 
  8. "Can I take Your Subdomain? Exploring Same-Site Attacks in the Modern Web" (in en). https://canitakeyoursubdomain.name/. 
  9. Kumari, Warren; Akkerhuis, Jaap; Fältström, Patrik (2015), "SAC070 - ICANN SSAC Advisory on the Use of Static TLD / Suffix Lists", ICANN Security and Stability Advisory Committee (SSAC) Reports and Advisories: pp. 32, https://www.icann.org/en/system/files/files/sac-070-en.pdf, retrieved 2021-07-05 
  10. "SSAC Advisory on the Use of Static TLD / Suffix Lists | ICANN Features". https://features.icann.org/ssac-advisory-use-static-tld-suffix-lists. 
  11. Sleevi, Ryan (2021-06-17), sleevi/psl-problems, https://github.com/sleevi/psl-problems, retrieved 2021-07-04 
  12. Huston, Geoff (2020-09-10). "DNS Query Privacy Revisited | blabs.apnic.net" (in en-US). https://labs.apnic.net/?p=1360. 
  13. "Mozilla flooded with requests after Apple privacy changes hit Facebook" (in en-us). https://www.bleepingcomputer.com/news/security/mozilla-flooded-with-requests-after-apple-privacy-changes-hit-facebook/. 
  14. "New interaction between IOS 14.5 PCM and Facebook Pixel causing increase in PSL inclusion requests · Issue #1245 · publicsuffix/list" (in en). https://github.com/publicsuffix/list/issues/1245. 

External links

  • No URL found. Please specify a URL here or add one to Wikidata.




Licensed under CC BY-SA 3.0 | Source: https://handwiki.org/wiki/Public_Suffix_List
9 views | Status: cached on July 19 2024 00:11:07
↧ Download this article as ZWI file
Encyclosphere.org EncycloReader is supported by the EncyclosphereKSF