Closed wdhdev closed 2 months ago
Just for future reference, this comment acts as authorisation for any PRs made by @Tweak4141 regarding this entry.
Greetings PSL maintainers and contributors,
I am Matt, the owner of is-a-good.dev. The is-a-good.dev org have decided to request to be added to the PSL, as we have received numerous reports of instances where dangling subdomains were taken over and used in an attempt to breach cookies. While we try our best to keep dangling subdomains cleared, I feel it would be best to enforce some cookie seperation as well, to ensure the security risks are minimal to our end users.
I appreciate the work everyone does to keep this running, thank you for taking the time to consider our request.
All the best, Matt
On Sat, Aug 10, 2024, 3:12 a.m. William Harrison @.***> wrote:
Just for future reference, this comment acts as authorisation for any PRs made by @Tweak4141 https://github.com/Tweak4141 regarding this entry.
— Reply to this email directly, view it on GitHub https://github.com/publicsuffix/list/pull/2095#issuecomment-2280509996, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR4LBNEBZVB7G6MJRTUBW53ZQXKO7AVCNFSM6AAAAABMJJFZS6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBQGUYDSOJZGY . You are receiving this because you were mentioned.Message ID: @.***>
Expiration (Note: Must remain >2 years at all times):
Domain Name: is-a-good.dev
Creation Date: 2021-06-18T12:20:50Z
Registry Expiry Date: 2034-06-18T12:20:50Z
According to WHOIS records, it is currently in good standing. Please ensure it is renewed in the coming years to maintain a validity period of more than 2 years at all times.
DNS _psl entries (Note: Must remain in place):
The DNS entries appear correct based on checks with multiple public DNS servers.
Please ensure they remain in place at all times in the future.
Responses from multiple DNS servers for the _psl
TXT record of the domain:
8.8.8.8
: "https://github.com/publicsuffix/list/pull/2095"
1.1.1.1
: "https://github.com/publicsuffix/list/pull/2095"
208.67.222.222
: "https://github.com/publicsuffix/list/pull/2095"
Sorting:
The sorting appears to be correct.
Reasoning/Organization Description:
Checked out the website https://is-a-good.dev/, which shows a subdomain registration service. This is consistent with what the submitter mentioned and is similar to Open Domains services.
For potential website usage, I queried multiple search engines. Most showed some results, but the quantity is limited to about 23 results, possibly due to discoverability issues or other reasons.
Given that the submitter stated, "serve over 2.5k unique visitors per month," which meets the relevance criteria, so this is probably fine.
I checked the Certificate Transparency Logs, which show some website usage belonging to different individuals or entities, consistent with the submitter's description.
No known potential abuse or malicious activity was discovered when querying trusted security vendors, indicating a clean status.
Could somebody please explain what these dangling subdomains are? I don't understand how that makes an issue for cookie separation.
Could somebody please explain what these dangling subdomains are? I don't understand how that makes an issue for cookie separation.
When a subdomain is registered by an individual, but no longer points to an active web server or service, leaving cookies vulnerable if a threat actor takes over the IP the record is pointed to. We try our best to check for dangling subdomains and clear them out.
Okay, but if you're not on the PSL people can just sign up for a domain and use that for stealing cookies, right?
Seems like an orthogonal issue unless you somehow have very good security screening when giving out domains.
We manually review all domains that are created on our service, they are created via pull request on our repo https://github.com/is-a-good-dev/register, we do screen all sites, what Tweak mentioned is most likely a previous issue, as I do not personally recall it.
Public Suffix List (PSL) Pull Request (PR) Template
Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.
Checklist of required steps
[x] Description of Organization
[x] Robust Reason for PSL Inclusion
[x] DNS verification via dig
[x] Run Syntax Checker (make test)
[x] Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section
Submitter affirms the following:
For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.
To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.
PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.
(Link: about propagation/expectations)
[x] Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.
Description of Organization
An open-source project/service that allows developers to get their own, free "is-a-good.dev" domain
Organization Website:
https://is-a-good.dev
Reason for PSL Inclusion
Like is-a.dev, js.org, and other domain name services listed on the PSL, is-a-good.dev is a free subdomain name service where you can register
yourname.is-a-good.dev
.We mainly require PSL status for cookie separation which will help minimise security risks among subdomains as each subdomain is owned by a different party. URL highlighting in supported browsers is also useful as well.
Number of users this request is being made to serve:
215+ current subdomains, which serve over 2.5k unique visitors per month.
DNS Verification via dig
Results of Syntax Checker (
make test
)All tests passed.