A First Look at the Privacy Harms of the Public Suffix List

Stephen McQuistin; Peter Snyder; Colin Perkins; Hamed Haddadi; Gareth Tyson

doi:10.1145/3618257.3624836

A First Look at the Privacy Harms of the Public Suffix List

Stephen McQuistin, Peter Snyder, Colin Perkins, Hamed Haddadi, Gareth Tyson

Department of Electronic and Computer Engineering

Research output: Chapter in Book/Conference Proceeding/Report › Conference Paper published in a book › peer-review

2 Citations (Scopus)

Abstract

The public suffix list is a community-maintained list of rules that can be applied to domain names to determine how they should be grouped into logical organizations or companies. We present the first large-scale measurement study of how the public suffix list is used by open-source software on the Web and the privacy harm resulting from projects using outdated versions of the list. We measure how often developers include out-of-date versions of the public suffix list in their projects, how old included lists are, and estimate the real-world privacy harm with a model based on a large-scale crawl of the Web. We find that incorrect use of the public suffix list is common in open-source software, and that at least 43 open-source projects use hard-coded, outdated versions of the public suffix list. These include popular, security-focused projects, such as password managers and digital forensics tools. We also estimate that, because of these out-of-date lists, these projects make incorrect privacy decisions for 1313 effective top-level domains (eTLDs), affecting 50,750 domains, by extrapolating from data gathered by the HTTP Archive project.

Original language	English
Title of host publication	IMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference
Publisher	Association for Computing Machinery
Pages	383-390
Number of pages	8
ISBN (Electronic)	9798400703829
DOIs	https://doi.org/10.1145/3618257.3624836
Publication status	Published - 24 Oct 2023
Event	23rd ACM Internet Measurement Conference, IMC 2023 - Montreal, Canada Duration: 24 Oct 2023 → 26 Oct 2023

Publication series

Name	Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
ISSN (Print)	2150-3761

Conference

Conference	23rd ACM Internet Measurement Conference, IMC 2023
Country/Territory	Canada
City	Montreal
Period	24/10/23 → 26/10/23

Bibliographical note

Publisher Copyright:
© 2023 ACM.

Keywords

domain boundaries
web privacy

Access to Document

10.1145/3618257.3624836

Cite this

McQuistin, S., Snyder, P., Perkins, C., Haddadi, H., & Tyson, G. (2023). A First Look at the Privacy Harms of the Public Suffix List. In IMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference (pp. 383-390). (Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC). Association for Computing Machinery. https://doi.org/10.1145/3618257.3624836

@inproceedings{1dc85a8070d2469ea700ba4897220df2,

title = "A First Look at the Privacy Harms of the Public Suffix List",

abstract = "The public suffix list is a community-maintained list of rules that can be applied to domain names to determine how they should be grouped into logical organizations or companies. We present the first large-scale measurement study of how the public suffix list is used by open-source software on the Web and the privacy harm resulting from projects using outdated versions of the list. We measure how often developers include out-of-date versions of the public suffix list in their projects, how old included lists are, and estimate the real-world privacy harm with a model based on a large-scale crawl of the Web. We find that incorrect use of the public suffix list is common in open-source software, and that at least 43 open-source projects use hard-coded, outdated versions of the public suffix list. These include popular, security-focused projects, such as password managers and digital forensics tools. We also estimate that, because of these out-of-date lists, these projects make incorrect privacy decisions for 1313 effective top-level domains (eTLDs), affecting 50,750 domains, by extrapolating from data gathered by the HTTP Archive project.",

keywords = "domain boundaries, web privacy",

author = "Stephen McQuistin and Peter Snyder and Colin Perkins and Hamed Haddadi and Gareth Tyson",

note = "Publisher Copyright: {\textcopyright} 2023 ACM.; 23rd ACM Internet Measurement Conference, IMC 2023 ; Conference date: 24-10-2023 Through 26-10-2023",

year = "2023",

month = oct,

day = "24",

doi = "10.1145/3618257.3624836",

language = "English",

series = "Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC",

publisher = "Association for Computing Machinery",

pages = "383--390",

booktitle = "IMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference",

}

McQuistin, S, Snyder, P, Perkins, C, Haddadi, H & Tyson, G 2023, A First Look at the Privacy Harms of the Public Suffix List. in IMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference. Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, Association for Computing Machinery, pp. 383-390, 23rd ACM Internet Measurement Conference, IMC 2023, Montreal, Canada, 24/10/23. https://doi.org/10.1145/3618257.3624836

A First Look at the Privacy Harms of the Public Suffix List. / McQuistin, Stephen; Snyder, Peter; Perkins, Colin et al.
IMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference. Association for Computing Machinery, 2023. p. 383-390 (Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC).

Research output: Chapter in Book/Conference Proceeding/Report › Conference Paper published in a book › peer-review

TY - GEN

T1 - A First Look at the Privacy Harms of the Public Suffix List

AU - McQuistin, Stephen

AU - Snyder, Peter

AU - Perkins, Colin

AU - Haddadi, Hamed

AU - Tyson, Gareth

PY - 2023/10/24

Y1 - 2023/10/24

N2 - The public suffix list is a community-maintained list of rules that can be applied to domain names to determine how they should be grouped into logical organizations or companies. We present the first large-scale measurement study of how the public suffix list is used by open-source software on the Web and the privacy harm resulting from projects using outdated versions of the list. We measure how often developers include out-of-date versions of the public suffix list in their projects, how old included lists are, and estimate the real-world privacy harm with a model based on a large-scale crawl of the Web. We find that incorrect use of the public suffix list is common in open-source software, and that at least 43 open-source projects use hard-coded, outdated versions of the public suffix list. These include popular, security-focused projects, such as password managers and digital forensics tools. We also estimate that, because of these out-of-date lists, these projects make incorrect privacy decisions for 1313 effective top-level domains (eTLDs), affecting 50,750 domains, by extrapolating from data gathered by the HTTP Archive project.

AB - The public suffix list is a community-maintained list of rules that can be applied to domain names to determine how they should be grouped into logical organizations or companies. We present the first large-scale measurement study of how the public suffix list is used by open-source software on the Web and the privacy harm resulting from projects using outdated versions of the list. We measure how often developers include out-of-date versions of the public suffix list in their projects, how old included lists are, and estimate the real-world privacy harm with a model based on a large-scale crawl of the Web. We find that incorrect use of the public suffix list is common in open-source software, and that at least 43 open-source projects use hard-coded, outdated versions of the public suffix list. These include popular, security-focused projects, such as password managers and digital forensics tools. We also estimate that, because of these out-of-date lists, these projects make incorrect privacy decisions for 1313 effective top-level domains (eTLDs), affecting 50,750 domains, by extrapolating from data gathered by the HTTP Archive project.

KW - domain boundaries

KW - web privacy

UR - https://www.scopus.com/pages/publications/85177617219

U2 - 10.1145/3618257.3624836

DO - 10.1145/3618257.3624836

M3 - Conference Paper published in a book

AN - SCOPUS:85177617219

T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

SP - 383

EP - 390

BT - IMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference

PB - Association for Computing Machinery

T2 - 23rd ACM Internet Measurement Conference, IMC 2023

Y2 - 24 October 2023 through 26 October 2023

ER -

A First Look at the Privacy Harms of the Public Suffix List

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this