The Origins: When the DNS Hierarchy Got Complicated
In the early days of the internet, the domain name system was relatively simple. You had a handful of top-level domains (TLDs) like .com, .org, and .net, and organizations would register their domains directly under these TLDs. The boundary between the registrable part of a domain and its TLD was clear.
However, as the internet expanded globally, country-code TLDs (ccTLDs) emerged with their own registration policies. Some countries, like the UK (.uk) and Australia (.au), adopted a second-level hierarchy where organizations typically registered domains at the third level (e.g., example.co.uk or example.com.au). Suddenly, the clear boundary between registrable domains and "public" suffixes became blurred.
This ambiguity created a significant problem: how could software determine where the organizational boundary of a domain lies? Without this knowledge, critical security features like cookie handling could become vulnerable.
The Problem: Cookie Management and Security
The most pressing issue that led to the creation of the PSL was cookie security. Consider a site like example.com that sets a cookie. Browsers needed to prevent sites like malicious.example.com from accessing that cookie, as they are different organizational entities. However, in cases like example.co.uk and malicious.co.uk, both domains should be treated as distinct organizations despite sharing more domain components.
Without a standardized way to determine these boundaries, browsers had to rely on simplistic rules (like allowing cookies to be shared across subdomains) that created security vulnerabilities. In countries with multi-level TLDs, this problem was even more acute.
Mozilla's Solution: The Public Suffix List
In 2007, Mozilla recognized this problem and created the Public Suffix List—a community-maintained list of "public suffixes." A public suffix is essentially a domain under which internet users can directly register names. The PSL helps software distinguish between public suffixes and private domains.
For example, the PSL indicates that:
- .com is a public suffix
- .co.uk is a public suffix
- .github.io is a public suffix
- example.com is not a public suffix (it's an organisation level domain under .com)
What TLD+N Actually Means
To understand the PSL's impact, it helps to understand domain hierarchy terminology:
- TLD: The Top-Level Domain (e.g., .com, .org)
- TLD+1 (or eTLD+1): The TLD plus one level, which represents the "effective" registrable domain (e.g., example.com) - sometimes referred to as organisation level domain.
- TLD+2: The registrable domain plus one level, typically a subdomain (e.g., blog.example.com)
What makes this complex is that the "effective" TLD (eTLD) might include multiple parts. For instance:
- In example.com, the eTLD is .com
- In example.co.uk, the eTLD is .co.uk
- In example.github.io, the eTLD is .github.io
The PSL helps determine what counts as the effective TLD in any given domain.
PSL Additions and Removals: What They Mean
When a domain is added to the PSL:
- It becomes treated as a public suffix
- Subdomains immediately under it are considered separate registrable domains
- Cookies set by one subdomain can't be accessed by another subdomain
- SSL certificates must be issued separately for each subdomain
- Email sender policies may be evaluated differently
For example, when github.io was added to the PSL, alice.github.io and bob.github.io became treated as separate security contexts, just like alice.com and bob.com would be.
When a domain is removed from the PSL:
- It's no longer treated as a public suffix
- Subdomains are considered part of the same security context
- Cookies may be shared across previously separated domains
- Wildcard SSL certificates might cover more subdomains
- Security policies may need reconfiguration
Who Maintains the PSL?
The PSL was originally created by Mozilla and is still primarily maintained by them, though it has become a community effort. The list itself is hosted as an open-source project on GitHub (https://github.com/publicsuffix/list).
Mozilla remains the steward of the project, but contributions come from a wide range of organizations and individuals with interests in domain policy and web security.
The Approval Process
The process for adding or removing domains from the PSL involves:
- Submission: Creating a pull request on GitHub with the proposed change
- Justification: Providing evidence that the domain operates as a public suffix where third parties can register domains
- Review: Community and maintainer assessment of the request
- Implementation: Merging the change if approved
- Distribution: Updates are periodically released and adopted by consuming applications
For a domain to be added, it typically needs to demonstrate that:
- It allows third-party domain registration (or subdomain allocation)
- Different entities control different subdomains
- There's a legitimate need for security isolation between subdomains
The review process focuses on preventing abuse, as being in the PSL can confer certain advantages (particularly for cookie access and storage quotas).
Applications and Protocols Relying on PSL
The PSL has become a critical component for numerous systems:
Browsers:
- Cookie management (the original use case)
- Local storage limitations
- Security origin determination
- HSTS (HTTP Strict Transport Security) propagation
Certificate Authorities:
- Validation of domain control
- Issuance policies for wildcard certificates
- Name constraints enforcement
Email Systems:
- DMARC and SPF policy evaluation
- Determining organizational boundaries for anti-spoofing
- Email authentication alignment checks
Security Tools:
- Same-origin policy enforcement
- Cross-origin resource sharing (CORS) decisions
- Content Security Policy (CSP) implementation
Web Frameworks:
- Domain validation
- Routing decisions
- Security headers configuration
The degree of reliance varies, but cookie security remains the most critical application. Some systems implement their own version or modification of the PSL, creating occasional inconsistencies between applications.
Tools for Working with the Public Suffix List
For those looking to integrate PSL functionality into their own applications, several tools and APIs are available. One particularly useful resource is the publicsuffixlist-api project on GitHub.
This open-source API provides a convenient way to query and interact with the Public Suffix List programmatically, making it easier to implement PSL-based domain validation and security features in your own applications. The API offers simple endpoints for checking domain status, determining effective TLDs, and validating domain structures—all while staying synchronized with the official PSL.
For developers working on domain management tools, security applications, or web frameworks, this API can significantly simplify the process of correctly implementing PSL-based logic without having to maintain your own parsing and update mechanisms.
Implementation Challenges
Despite its importance, PSL integration isn't perfect:
- Applications may use outdated versions of the list
- Some implementations have bugs or misinterpretations
- The list requires regular updates as the domain landscape changes
- Edge cases exist that the PSL doesn't fully address
Conclusion
The Public Suffix List represents a community solution to a complex problem in internet infrastructure. While invisible to most users, it plays a crucial role in maintaining security boundaries online. For technical professionals working with domains, understanding the PSL provides valuable context for security decisions, application development, and domain strategy.
As the web continues to evolve, the PSL remains a living document that adapts to new domain structures and registration policies. Being aware of its existence and function is increasingly important for anyone working with web technologies at an intermediate to advanced level.
No comments:
Post a Comment