search

publicsuffix / list

The Public Suffix List
https://publicsuffix.org/
Mozilla Public License 2.0
2k stars 1.2k forks source link

Add IONOS product domains #2083

Closed 1and1tecsec closed 1 month ago

1and1tecsec commented 1 month ago

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

Submitter affirms the following:

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

Description of Organization

The IONOS Group offers shared, dedicated, managed and cloud hosting and domain registration services, managing around 6 million customer contracts and more than 22 million domains. Roughly 2/3 of our customer base is located in Europe (Germany, UK, France, Spain, Italy, ...).

IONOS has essentially been around under various names for more than 2 decades (Schlund+Partner, 1&1 Puretec, 1&1 Internet, ...). After merging with more acquisitions (Fasthosts, Arsys, Strato, home.pl, World4you, ...) and some restructuring, IONOS has been spun off into a separate company with a new name.

The PR is submitted by Security Engineer Henrik Willert, acting on behalf of the Technical Security team of IONOS. This is a collaborative effort, mostly driven and made possible by Systems Architect Anders Henke and Software Architect Jonas Julino.

Organization Website: https://www.ionos-group.com/ Products Website: https://www.ionos.com/

Reason for PSL Inclusion

Customer instances of our shared web hosting products come with one or more free subdomains of a product-line specific domain. Those subdomains allow customers to test changes without affecting their primary website. In some products, the subdomain is also used to configure a customer's individual instance. In all of those cases described below, those subdomains do host only customer-generated content and/or applications.

Common patterns for the WordPress-range of products are:

<string>.live-website.com
<string>.apps-1and1.com
<string>.apps-1and1.net

The (alphanumeric) string is usually derived from other user-provided information, such as a project or domain name.

One of our website builder products uses the following patterns:

s<id>.websitebuilder.online
n<id>.websitebuilder.online

A recent hosting product connecting GitHub repositories to fully-featured shared hosting webspaces does use the following pattern:

home-<id>.app-ionos.space

The ids for websitebuilder.online and app-ionos.space are automatically generated.

Each of those those subdomains mentioned above are independent instances and so should be treated accordingly:

A PSL inclusion should help with both of this.

Other products also do have further list of domains who should've been put on PSL a long time ago, but we're still evaluating what could possibly break and will file another request when we're ready to have them included.

To meet the 2y-criteria from https://github.com/publicsuffix/list/issues/1109, we've been manually renewing those domains to the following registry expiry dates:

apps-1and1.com: 2030-05-20T16:04:03Z
live-website.com: 2030-06-21T09:21:07Z
apps-1and1.net: 2030-05-20T16:03:27Z
websitebuilder.online: 2029-11-09T23:59:59.0Z
app-ionos.space: 2030-01-28T23:59:59.0Z

We also intend to keep those registrations in good standing and plan automating renewal according to PSL requirements. Additionally, those domains are set to auto-renewal, so at worst: they'll renew during the last month before expiry.

Number of users this request is being made to serve: We estimate that more than 600k customer instances are affected by the domains mentioned above.

DNS Verification via dig

šŸ’»:~[0]$ dig +short TXT _psl.apps-1and1.com
"https://github.com/publicsuffix/list/pull/2083"
šŸ’»:~[0]$ dig +short TXT _psl.live-website.com
"https://github.com/publicsuffix/list/pull/2083"
šŸ’»:~[0]$ dig +short TXT _psl.apps-1and1.net
"https://github.com/publicsuffix/list/pull/2083"
šŸ’»:~[0]$ dig +short TXT _psl.websitebuilder.online
"https://github.com/publicsuffix/list/pull/2083"
šŸ’»:~[0]$ dig +short TXT _psl.app-ionos.space
"https://github.com/publicsuffix/list/pull/2083"

Results of Syntax Checker (make test)

šŸ’»:~/Documents/dev/public-suffix-list[0]$ make test
cd linter;                                \
  ./pslint_selftest.sh;                     \
  ./pslint.py ../public_suffix_list.dat;
test_allowedchars: OK
test_dots: OK
test_duplicate: OK
test_exception: OK
test_NFKC: OK
test_punycode: OK
test_section1: OK
test_section2: OK
test_section3: OK
test_section4: OK
test_spaces: OK
test_wildcard: OK
test -d libpsl || git clone --depth=1 https://github.com/rockdaboot/libpsl;   \
  cd libpsl;                                                                    \
  git pull;                                                                     \
  echo "EXTRA_DIST =" >  gtk-doc.make;                                          \
  echo "CLEANFILES =" >> gtk-doc.make;                                          \
  autoreconf --install --force --symlink;
Already up to date.
autopoint: using AM_GNU_GETTEXT_REQUIRE_VERSION instead of AM_GNU_GETTEXT_VERSION
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
configure.ac:1: warning: file `version.txt' included several times
configure.ac:4: warning: file `version.txt' included several times
aclocal.m4:765: AM_INIT_AUTOMAKE is expanded from...
configure.ac:4: the top level
configure.ac:369: warning: file `version.txt' included several times
configure.ac:10: installing 'build-aux/compile'
configure.ac:4: installing 'build-aux/missing'
fuzz/Makefile.am: installing 'build-aux/depcomp'
cd libpsl && ./configure -q -C --enable-runtime=libicu --enable-builtin=libicu --with-psl-file=/home/hwillert/Documents/dev/public-suffix-list/public_suffix_list.dat --with-psl-testfile=/home/hwillert/Documents/dev/public-suffix-list/tests/tests.txt && make -s clean && make -s check -j4
configure: WARNING: --enable-builtin=libicu is deprecated, use --enable-builtin (enabled by default)
config.status: creating po/POTFILES
config.status: creating po/Makefile
Making clean in po
Making clean in include
Making clean in src
rm -f ./so_locations
Making clean in tools
 rm -f psl
Making clean in fuzz
 rm -f libpsl_icu_fuzzer libpsl_icu_load_fuzzer libpsl_icu_load_dafsa_fuzzer
Making clean in tests
 rm -f test-is-public test-is-public-all test-is-cookie-domain-acceptable test-is-public-builtin test-registrable-domain
Making clean in msvc
Making check in po
Making check in include
Making check in src
  CC       libpsl_la-psl.lo
  CC       libpsl_la-lookup_string_in_fixed_set.lo
  CCLD     libpsl.la
Making check in tools
  CC       psl.o
  CCLD     psl
Making check in fuzz
  CC       libpsl_fuzzer.o
  CC       main.o
  CC       libpsl_load_fuzzer.o
  CC       libpsl_load_dafsa_fuzzer.o
  CCLD     libpsl_icu_fuzzer
  CCLD     libpsl_icu_load_fuzzer
  CCLD     libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_fuzzer
PASS: libpsl_icu_load_fuzzer
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 3
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in tests
  CC       test-is-public.o
  CC       common.o
  CC       test-is-public-all.o
  CC       test-is-cookie-domain-acceptable.o
  CC       test-is-public-builtin.o
  CC       test-registrable-domain.o
  CCLD     test-is-public
  CCLD     test-is-cookie-domain-acceptable
  CCLD     test-is-public-all
  CCLD     test-is-public-builtin
  CCLD     test-registrable-domain
PASS: test-is-public-builtin
PASS: test-is-public
PASS: test-is-cookie-domain-acceptable
PASS: test-registrable-domain
PASS: test-is-public-all
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 5
# PASS:  5
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in msvc
groundcat commented 1 month ago

Expiration (Note: Must remain >2 years at all times):

According to WHOIS records, all domains are currently in good standing. Please ensure they are renewed in the coming years to maintain a validity period of more than two years at all times in the future.

DNS _psl entries (Note: Must remain in place):

The DNS entries appear correct based on checks with multiple public DNS servers. Please ensure they remain in place at all times in the future.

Sources: dig command using DNS servers: Google (8.8.8.8), Cloudflare (1.1.1.1), OpenDNS (208.67.222.222).

Sorting:

The sorting appears to be correct.

Reasoning/Organization Description:

The submitter mentioned that different web hosting customers have their own subdomains. This seems to be a reasonable request for PSL inclusion to enable cookie separation between subdomains that belong to different clients of web hosting or entities, consistent with the submitter's description.

To assess website usage, I queried multiple search engines and discovered a considerable number of subdomains, which aligns with the reported number of users:

groundcat commented 1 month ago

There doesn't seem to be a relevance issue, but one of the domains, app-ionos.space, has a higher portion of security vendors flagging it as malicious. It's understandable that such issues can occur when you offer namespace on the second-level domain.

@1and1tecsec I wonder if you have existing mitigations to prevent future abuse, such as an abuse reporting procedure or some sort of detection that your company handles promptly. This would deter potential adversaries, especially as it will be added to the Public Suffix List.

1and1tecsec commented 1 month ago

@groundcat Our abuse team is available via AS8560 role accounts (abuse at ionos.com).

They have different processes in place, depending on the maturity of the integration after the re-organization of our company. This includes internal sensors for detection, external reports, and feeds, to process reports automatically or manually in order to ensure a broad coverage of mitigation measures against abuse. Our products do integrate into those processes at different levels, from the classic "manual case handling" down to "automated lock of the corresponding file/directory/domain/webspace/contract/customer and on-call escalation". As many phishing cases are using fraudulent orders, fraud processes also have an important role to prevent phishing cases in the first place, in addition to the abuse processes mentioned above.

The product using the domain app-ionos.space is somewhere in the lower mid-range of such integrations, but we're in the process of improving that to a more advanced level, so it reaches the same maturity as the other domains.

simon-friedberger commented 1 month ago