A first look at the privacy harms of the public suffix list

Stephen McQuistin, Peter Snyder, Colin Perkins, Hamed Haddadi, Gareth Tyson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)
15 Downloads (Pure)

Abstract

The public suffix list is a community-maintained list of rules that can be applied to domain names to determine how they should be grouped into logical organizations or companies. We present the first large-scale measurement study of how the public suffix list is used by open-source software on the Web and the privacy harm resulting from projects using outdated versions of the list. We measure how often developers include out-of-date versions of the public suffix list in their projects, how old included lists are, and estimate the real-world privacy harm with a model based on a large-scale crawl of the Web. We find that incorrect use of the public suffix list is common in open-source software, and that at least 43 open-source projects use hard-coded, outdated versions of the public suffix list. These include popular, security-focused projects, such as password managers and digital forensics tools. We also estimate that, because of these out-of-date lists, these projects make incorrect privacy decisions for 1313 effective top-level domains (eTLDs), affecting 50,750 domains, by extrapolating from data gathered by the HTTP Archive project.
Original languageEnglish
Title of host publicationIMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference
Place of PublicationNew York, NY
PublisherACM
Pages383–390
Number of pages8
ISBN (Electronic)9798400703829
DOIs
Publication statusPublished - 24 Oct 2023
EventACM Internet Measurement Conference 2023 - École de technologie supérieure, Montreal, Canada
Duration: 24 Oct 202326 Oct 2023
https://conferences.sigcomm.org/imc/2023/

Conference

ConferenceACM Internet Measurement Conference 2023
Abbreviated titleIMC
Country/TerritoryCanada
CityMontreal
Period24/10/2326/10/23
Internet address

Keywords

  • Web privacy
  • Domain boundaries

Fingerprint

Dive into the research topics of 'A first look at the privacy harms of the public suffix list'. Together they form a unique fingerprint.

Cite this