Note that adding your domain to the PSL has potentially unwanted side effects.
For example, it will become somewhat inconvenient to share data across your subdomains. Instead of just setting a session cookie with domain=.start.page, you will need to implement a proper single sign-on mechanism. Email might be affected, too, especially when it comes to DKIM and DMARC.
You also need to make sure that your domain is listed in the private section of the PSL. There was a thread a while ago when someone got mistakenly listed in the ICANN TLD section and couldn't get a wildcard certificate for their domain. Let's Encrypt and most other CAs have a policy of rejecting domains like *.co.uk, and may rely on the PSL to tell which is which.
Thanks for sharing those gotchas. I’ll be keeping them in mind when adding our domain. Thankfully we’ve utilized start.page as a separate domain to only host the pages. This does mean that we should be able to add ourselves to the PSL without too much fuss once we’ve got the basics in place.
My understanding is that the PSL is good-enough and avoids somewhat costly/unreliable TXT lookups for every domain when only a very tiny fraction of domains would actually want this treatment.
There is also a bit of security risk since browsers use this list to set cookie restrictions. If it were in DNS, which the vast majority of people use unencrypted, an adversary could manipulate responses to either (a) drop the TXT record altogether so the domain is not restricted or (b) craft a response in which the domain disables the behavior.
The public suffix list servers the purpose to only separate (sub)domains that are reasonably expected to be controlled by different owners.
Many systems - ex: rate limits, malware domain lists - would be very easily and cheaply gambled if domain owners could "disown" subdomains at-will, just with a change in DNS. There's a fairly long review process to get onto the public suffix list for exactly this reason.
There's also the historical aspect, that DNS is a much older technology than the need for the public suffix list. Mozilla at the time couldn't expect that all registries would adopt a new standard quickly or at all. Since there was a need for this information for browser security improvements, the list was born, and gradually become the de-facto standard source of such information.
Thanks, I managed to not be aware of this list until now, despite lots of professional experience building for the web, including two years working at a company that hosted 150k subdomains containing user-generated content.
OP phrased it poorly, but I'm likewise perplexed at how someone can be running a business that revolves around subletting a domain name and not know about the Public Suffix List. It seems like at some point they would have thought through some of the security problems inherent in sharing a domain, researched solutions, and learned about the list.
I really do wish that was the case but it's just not something that I've come across. I don't want to make excuses here and do take responsibility for it but sometimes I feel like we learn important lessons like this in the fire. Still, this one is on me for not knowing about it till today.
On that note though, I'm perplexed as to how people would manage this kind of thing if using paths instead of subdomains. So instead of <user>.start.page if we used start.page/user. In the latter case, I'm not sure how one would prevent their entire domain from being taken down if malicious users kept linking to malware hosted on file hosting/sharing sites. Is there something similar to the PSL for this?
At its core the issue in my head is user generated content linking out to malicious software being a point of trigger for entire sites being blocked. Does this mean that an entire publication site could be blocked if someone used a comment widget to link out to malware and the site got reported? That seems like an effective DoS mechanism at some point.
I guess what I'm struggling with is why the domain gets blocked instead of the actual url that contains malware (or even the single path that links out to it). Fwiw the google drive link hosting the malware is still active.
