Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8201906

Switch to Mozilla Public Suffix List in Domain Name Checking

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 11
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      The home-grown list is different from Mozilla's, so there will be behavior change. Although common public suffixes (Ex: the traditional gTLD like ".com" and ".org", and common country-code TLDs like ".co.uk") are covered by both, Mozilla's list is much longer and claims itself to be "a list of all known public suffixes" including new gTLD's like ".africa" and localized ccTLD like ".東京.jp", etc. This means "*.africa" was allowed in a certificate but will be rejected later. Mozilla's list is used by most major browsers and actively maintained by the community and we believe it should be more correct than ours.
      Show
      The home-grown list is different from Mozilla's, so there will be behavior change. Although common public suffixes (Ex: the traditional gTLD like ".com" and ".org", and common country-code TLDs like ".co.uk") are covered by both, Mozilla's list is much longer and claims itself to be "a list of all known public suffixes" including new gTLD's like ".africa" and localized ccTLD like ".東京.jp", etc. This means "*.africa" was allowed in a certificate but will be rejected later. Mozilla's list is used by most major browsers and actively maintained by the community and we believe it should be more correct than ours.
    • Other
    • Implementation

      Summary

      Move from a home-grown public suffix list to the Mozilla Public Suffix List. The public suffix list is used by SocketPermission in name matching and the HostnameChecker class to check hostnames against the names specified in a certificate as required for TLS and LDAP.

      Problem

      A "public suffix" is one under which Internet users can (or historically could) directly register names, which can be used to determine if a domain name is safe to use in various cases. For example, ".co.uk" is a public suffix, while one can register example.co.uk but co.uk itself should not be registered by anyone. A certificate whose hostname covering "*.co.uk" is dangerous because if it is compromised, could allow an attacker to impersonate any host under that public suffix. Therefore this kind of certificates are not trusted in JDK.

      Currently, JDK has a list of public suffixes but it's hard to maintain.

      Solution

      The industry already had Mozilla Public Suffix List which is used by everyone. It is also actively maintained by the community. We will switch to this list in JDK.

      Most likely we'll update this list regularly (Ex: every LU/CPU release). There is no plan to provide an update tool for users.

      Specification

      This is a behavior change. We will switch from a home-grown list to Mozilla's PSL.

            weijun Weijun Wang
            weijun Weijun Wang
            Alan Bateman, Chris Hegarty, Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: