wdhdev commented 2 months ago

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

[x] Description of Organization
[x] Robust Reason for PSL Inclusion
[x] DNS verification via dig
[x] Run Syntax Checker (make test)
[x] Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section

Submitter affirms the following:

[x] We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

[x] This request was not submitted with the objective of working around other third-party limits

[x] The submitter acknowledges that it is their responsibility to maintain the domains within their section. This includes removing names which are no longer used, retaining the _psl DNS entry, responding to e-mails to the supplied address. Failure to maintain entries may result in removal of individual entries or the entire section.

[x] The Guidelines were carefully read and understood, and this request conforms
[x] The submission follows the guidelines on formatting and sorting

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

[x] Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

Description of Organization

An open-source project/service that allows developers to get their own, free "is-a-good.dev" domain

Organization Website:

https://is-a-good.dev

Reason for PSL Inclusion

Like is-a.dev, js.org, and other domain name services listed on the PSL, is-a-good.dev is a free subdomain name service where you can register yourname.is-a-good.dev.

We mainly require PSL status for cookie separation which will help minimise security risks among subdomains as each subdomain is owned by a different party. URL highlighting in supported browsers is also useful as well.

Number of users this request is being made to serve:

215+ current subdomains, which serve over 2.5k unique visitors per month.

DNS Verification via dig

dig +short TXT _psl.is-a-good.dev
"https://github.com/publicsuffix/list/pull/2095"

Results of Syntax Checker (`make test`)

All tests passed.

wdhdev commented 2 months ago

Just for future reference, this comment acts as authorisation for any PRs made by @Tweak4141 regarding this entry.

Tweak4141 commented 2 months ago

Greetings PSL maintainers and contributors,

I am Matt, the owner of is-a-good.dev. The is-a-good.dev org have decided to request to be added to the PSL, as we have received numerous reports of instances where dangling subdomains were taken over and used in an attempt to breach cookies. While we try our best to keep dangling subdomains cleared, I feel it would be best to enforce some cookie seperation as well, to ensure the security risks are minimal to our end users.

I appreciate the work everyone does to keep this running, thank you for taking the time to consider our request.

All the best, Matt

On Sat, Aug 10, 2024, 3:12 a.m. William Harrison @.***> wrote:

Just for future reference, this comment acts as authorisation for any PRs made by @Tweak4141 https://github.com/Tweak4141 regarding this entry.

— Reply to this email directly, view it on GitHub https://github.com/publicsuffix/list/pull/2095#issuecomment-2280509996, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR4LBNEBZVB7G6MJRTUBW53ZQXKO7AVCNFSM6AAAAABMJJFZS6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBQGUYDSOJZGY . You are receiving this because you were mentioned.Message ID: @.***>

groundcat commented 2 months ago

Expiration (Note: Must remain >2 years at all times):

Domain Name: is-a-good.dev  
Creation Date: 2021-06-18T12:20:50Z  
Registry Expiry Date: 2034-06-18T12:20:50Z

According to WHOIS records, it is currently in good standing. Please ensure it is renewed in the coming years to maintain a validity period of more than 2 years at all times.

DNS _psl entries (Note: Must remain in place):

The DNS entries appear correct based on checks with multiple public DNS servers.

Please ensure they remain in place at all times in the future.

Responses from multiple DNS servers for the _psl TXT record of the domain:

Response from 8.8.8.8: "https://github.com/publicsuffix/list/pull/2095"
Response from 1.1.1.1: "https://github.com/publicsuffix/list/pull/2095"
Response from 208.67.222.222: "https://github.com/publicsuffix/list/pull/2095"

Sorting:

The sorting appears to be correct.

Reasoning/Organization Description:

Checked out the website https://is-a-good.dev/, which shows a subdomain registration service. This is consistent with what the submitter mentioned and is similar to Open Domains services.

For potential website usage, I queried multiple search engines. Most showed some results, but the quantity is limited to about 23 results, possibly due to discoverability issues or other reasons.

Given that the submitter stated, "serve over 2.5k unique visitors per month," which meets the relevance criteria, so this is probably fine.

I checked the Certificate Transparency Logs, which show some website usage belonging to different individuals or entities, consistent with the submitter's description.

crt.sh

No known potential abuse or malicious activity was discovered when querying trusted security vendors, indicating a clean status.

VirusTotal

[x] Expiration (Note: Must STAY >2y at all times)
- [x] is-a-good.dev expires 2034-06-18
[x] DNS _psl entries (Note: Must STAY in place)
[x] Tests pass
[x] Sorting
[x] Reasoning/Organization description
[x] Non-personal email address

simon-friedberger commented 2 months ago

Could somebody please explain what these dangling subdomains are? I don't understand how that makes an issue for cookie separation.

Tweak4141 commented 2 months ago

Could somebody please explain what these dangling subdomains are? I don't understand how that makes an issue for cookie separation.

When a subdomain is registered by an individual, but no longer points to an active web server or service, leaving cookies vulnerable if a threat actor takes over the IP the record is pointed to. We try our best to check for dangling subdomains and clear them out.

simon-friedberger commented 2 months ago

Okay, but if you're not on the PSL people can just sign up for a domain and use that for stealing cookies, right?

Seems like an orthogonal issue unless you somehow have very good security screening when giving out domains.

wdhdev commented 2 months ago

We manually review all domains that are created on our service, they are created via pull request on our repo https://github.com/is-a-good-dev/register, we do screen all sites, what Tweak mentioned is most likely a previous issue, as I do not personally recall it.