Get the top HN stories in your inbox every day.
jefftk
devrand
It sounds like there's two cases:
1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.
2. Sites that want to abuse an eTLD to do something like give all users on their social network a custom subdomain so that they're not polluting the same pool.
--
I think it was actually reasonable for Apple to consider the PSL as it's basically the most comprehensive eTLD list that we have and would allow them to match browser behavior.
The problem now is that case (1) is sending a bunch of requests at once as something will now actually break for these sites. Before now it was really just them being lax with security and not considering that cookies should be siloed. This isn't a unique situation btw, PSL also saw a large increase in inclusion requests when LetsEncrypt added rate limits based on eTLDs.
(2) is obviously bad and there's really no other justification for these sites being in the PSL.
Therefore I think it's reasonable for PSL to deny inclusion requests that are solely for PCM reasons.
This all being said, the PSL is a massive hack [1] and really needs to be replaced by something else. It probably is about time for these companies to invest in a replacement.
TechBro8615
Nice link to the GitHub issue which explains the problems clearly.
Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?
gumby
> Can anyone explain why something like this wasn't implemented in the first place via DNS TXT records or tied to SSL somehow?
The idea is to be able to use it without a network access, such as looking for unstructured URLs in text (e.g. "get a discount code at example.com/hn-reader"), formatting a URL in a browser bar (e.g. put the non-eDLD+1 in bold, or at least show the site name properly and not abbreviate all UK sites to "co.uk") or managing the cookie name properly (again, so everyone in co.uk doesn't share the same cookie).
Presumption is that the eTLDs are a tiny fraction (by orders of magnitude) from the domains registered under them so this db doesn't have to get too large.
I am not sure how to manage these strings automatically without them being spammed. They aren't all under the control of the TLD administrators (com.au is but cheapo-shop-hosting.com.au is not).
undefined
merb
1. Multi-tenant domains that probably should've always been in the PSL (ex. to provide cookie silos) but are only realizing now that they should be in it due to the arrival of PCM.
uff, well I did not know about that list and we have a domain that uses multi-tenacy.
I mean I'm unsure to include it but it probably adds a security benefit, so that it is impossible to add bad cookies from subdomains.
edit: can't add it anyway I'm not sure but our provider only allows to renew for 1 year (I'm not sure if that is a tld limit, since I also do not see other additional domains with de inside the list)
ghughes
That thread between FB & Apple is fascinating. The potential solutions being discussed have significant implications:
1. Apple: "not support eTLDs in PCM and only support TLDs" - so no more ad attribution for multi-tenant domains.
2. Facebook: "some sort of vetting process to determine who is using subdomains in a way that is aligned with the intended purpose of the PSL" - so Apple takes over the PSL inclusion process and institutes strict vetting to prevent abuse of PCM, which would presumably take months to implement.
This looks like a serious design problem with no solution that could be implemented before ATT drops.
3np
> That would cause tremendous harm to all the small businesses who operate on subdomains of TLDs like myshopify, and for what?
This was the giveaway that it was an FB person. Parts of that comment is verbatim from FB propaganda ads[0]. Maybe that awkward video from ~last month[1] was targeted more at aligning FB employees internally around the message, not the general public.
[0] https://www.bloomberg.com/news/articles/2020-12-16/facebook-...
[1] Which I can’t find now
jefftk
> This was the giveaway that it was an FB person.
I mean, they also say "Facebook finds itself in the position of trying to help advertisers navigate Apple’s ATT changes - answering a wide variety of questions. We ..." I think everyone involved knows this is an issue from FB?
ankmathur96
Do you have an actual response to this point or are you just criticizing that multiple people made that same argument?
geocar
These people believe they’re lucky to work at a place like Facebook, and after reading some of these asinine comments, I'm inclined to agree.
The idea that they shit in the pool and get the swimmers to defend them sounds crazy, but people do defend Facebook’s doo-doo, and it makes sense that if you’re already covered in shit, it’s probably easier to pay people like this to walk around with shit all over themselves and say with a straight face “Apple should pay for our shit” than I ever thought.
donmcronald
The biggest problem is that no matter what “scale” of tracking is tolerable on a single domain / subdomain, Facebook still gets the aggregate.
So if you fix it for small multi-tenant domains, nothing changes for Facebook and they still get all the aggregate data, right?
There’s going to be a lot of collateral damage before ads and tracking get fixed IMO.
wdb
After limited reading on the subject only the quoted issue.
Maybe shops like Etsy or Shopify should make tracking a premium benefit that is possible when getting your own domain :) Feels like a upsell opportunity to me
rectang
PSL: Public Suffix List
> A "public suffix" is one under which Internet users can (or historically could) directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public Suffix List is a list of all known public suffixes.
> The Public Suffix List is an initiative of Mozilla, but is maintained as a community resource.
fotta
> It is inappropriate for presence or absense in PSL to be used by Facebook as a means to include or reject entries due to the IOS14 change, as PSL is not any form of security screen whatsoever, and the volunteer team maintaining the PSL is receiving the burden of being a sieve for the changes on interaction between those systems, which is taxing our resources.
> The ONLY validation performed by PSL volunteers and Github process to add listing in the PSL is to check that a DNS entry is added by the domain administrator that can be tied to, and this can be completely illusory and lite in reality in contrast to perhaps the deisred level of security that had been intended between Facebook Pixel and Apple.
> We are freezing the approval of new submissions that cite the FB / IOS 14 interop issue in order to provide Facebook or Apple, with a much more robust set of resources, the opportunity to sort this out amongst/betwixt themselves.
https://github.com/publicsuffix/list/issues/1245#issuecommen...
~~Seems like FB was abusing the work of volunteers here as a reaction to changes in iOS 14.~~ I don't see why they can't run their own PSL a la NTP servers.
edit: Seems like Apple was the one to declare PSL as canonical.
marketingtech
Apple is the company that declared this the canonical Public Suffix List. Facebook is just directing their customers towards it. "If you need to be considered a public suffix for Apple's new policy, you'll need to send your pull request to this repo."
HappyTypist
Apple should be officially supporting this project and turn it into an independent, but full-time gig. If the maintainers decline, Apple should hire someone to manage their own.
fotta
Ah I just read the links in jefftk's comment and it seems like you're right.
tialaramex
The existence of multiple independent definitions for eTLD+1 would be very likely to create security holes, via a Confused Deputy-type scenario.
If I was a security researcher, or a blackhat, and I found that bar.example is on the Mozilla PSL, and so Firefox considers foo.bar.example and quux.bar.example to be separate sites - while it isn't on the Apple PSL and so Apple's APIs treat foo.bar.example and quux.bar.example as parts of the same site (or vice versa), then I know I'm going to find weird bugs where Apple and the Firefox browser understand things about these two names differently and I can likely exploit that.
The preference from PSL team members is to do less with this hack over time, to put it behind us. But alas instead it motivates people to turn a hand-wavy notion "You know, a web site" into further reliance on the PSL instead of actually building a robust solution to their problem.
This is particularly inexcusable from Apple because it's not like Apple is hurting for resources. If they actually wanted to solve problems, they could put the work in; so I think we can conclude they weren't much interested in solving the problem, only as usual in ensuring somebody else takes the blame.
NovemberWhiskey
>edit: Seems like Apple was the one to declare PSL as canonical.
Dependency on the Public Suffix List is already baked into essentially 100% of the global browser market for purposes like control of setting cookies - I'm not sure Apple made it any more 'canonical' by depending on it here.
user3939382
It kind of reminds me of the manually-shared HOSTS.TXT list of domain names before we had DNS, and seems like a problem we also need formal infrastructure to solve long term.
marketingtech
This is a result of Apple limiting the entropy of marketing data that can be received from a domain (defined as an eTLD+1) to 6 bits.
This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.
This solution? Leverage the "public suffix" list to define your domain as an eTLD and give every seller a separate subdomain so that everyone gets their own data entropy namespace.
Now every hosting provider or online marketplace is scrambling to re-architect their site into subdomains with public suffixes to maintain the status quo.
tekstar
Pretty much all Shopify shops have their own domains, only a minority drive traffic to their .myshopify.com subdomain
bredren
I was a bit surprised that a shopify biz that could not be bothered to use its own domain would be very concerned about monitoring ad performance.
Seems someone would first effect to have a better branded site. As in, a decent TLD.
And that if anything, this is a kick in the pants of an ecommerce site to get its own domain(s) to deal with this.
Do I have that right?
43920
There's probably a decent number of sites that get most/all of their traffic from impulse purchases off of Facebook ads, and who have no actual branding. Obviously they should go ahead and just get a domain name, but they likely haven't had any reason to care up until this point either.
cblconfederate
Maybe shopify domains have better SEO than randomwebsite.com
simlevesque
Well, I could own google.myshopify.com and be happy with it but have no way to buy the .com
gsnedders
> This causes problems for platforms like Shopify or marketplaces like Alibaba or eBay that may have multiple sellers trying to run ads on a domain and competing for the same small pool of entropy.
This is essentially https://github.com/privacycg/private-click-measurement/issue....
Effectively it boils down to, "how can you distinguish the seller from the website owner?", if you want to give both seller and website owner entropy.
3np
> One thing that will not change is the existence of small businesses; in particular, small merchants who do not have their own eTLD+1 registered. Registering an eTLD+1, and hosting a website specific to a your business is a pretty high bar to demand of all businesses.
Benjamin savage is with FB I assume...? Registering a domain name should be table stakes if you want to run a business and have ad tracking with increased entropy online.
Is it reasonable to deny access to individuals without a phone number but unreasonable to give less ad tracking entropy to businesses without their own domain? Something about mosquitoes and camels there, no?
If a business cares more than 10$/year, registering a domain is a nobrainer. “Small businesses” are just being pawns in the chess game here - I’m yet to see an legit “small business” owner who cares or thinks this is an actual issue
FemmeAndroid
This followup issue seems to have a more clear writeup, especially for someone like me who is a bit out of the loop when it comes to the PSL:
https://github.com/privacycg/private-click-measurement/issue...
djrogers
While it does have quite a bit of details, this followup issue is clearly written by someone from FB or one of the other AdCos who wants to point the finger back at Apple. The tone and wording used here is rather rich and entitled.
pandemicsyn
you're not joking: https://github.com/privacycg/private-click-measurement/issue...
>Who will vet such a list continuously at a global scale? >Apple should. >Apple created this issue in the first place. The need for multi-tenant websites to add themselves to the PSL exists only because of the PCM design decision to limit measurement to registrable domains. The urgency exists because Apple's planned ATT enforcement.
wffurr
They seem to think that people can’t really “opt out” of “tracking” (scare quotes theirs). Talk about entitled.
dialtone
The quotes are entirely appropriate because adding some domain to the PSL makes the subdomains siloed cookie-wise so they can't share cookies and the PSL cannot use cookies anymore. Since they can't share cookies you can't track across even the same domain when added to the PSL.
This is a feature needed for sites like Rakuten, Shopify, Alibaba that have multiple merchants under the same domains.
Nothing to do with entitlement.
romanhn
Ben Savage is a pretty high-level engineer from Facebook's Ads org
dswalter
According to the comments in the history of that user on Github, it is someone who claims to be an engineer from Facebook in an earlier post: https://github.com/WICG/trust-token-api/issues/28#issue-6447...
dkonofalski
Seriously. I can see reasons that aren't entirely altruistic for Apple in trying to increase these privacy protections but trying to offload it back to Apple as if Facebook's abuse of consumer data isn't the real reason for this is ridiculous.
undefined
marketingtech
This is fascinating to see Apple and Facebook engineers politely yet publicly arguing over potential technical implementations of Apple's privacy policies.
tgragnato
Benjamin Savage doesn’t look polite to me. Is it because I’m not a native speaker?
Doctor_Fegg
You're right, it's not that polite. "If Apple can develop a scaled process to review the millions of apps submitted to the Apple store, surely it is also capable of reviewing the few dozen multi-tenant domains that exist on the internet" is very passive-aggressive.
vHMtsdf
The linked discussion makes me wonder, how much of our existence on the internet is just an unintended consequence of some minor engineering decision? Whim of an unknown engineer creating or destroying million dollar industries down the line...
lmb
Seems like the right move from a volunteer run project, what will the future will hold though? Artificial scarcity is always a problem.
On another note, for just 20k$ I can offer you exclusive use of the xxgfzrf.dinglebop.me Public Suffix so that you can keep tracking your users. Please reach out to sales@example.com if you are interested.
dialtone
It's interesting because being added to the PSL reduces your ability to track users. So yeah, I have a bridge to sell you, interested?
djrogers
> being added to the PSL reduces your ability to track users
Not really, in fact it can increase your ability to track users if it's (ab)used in specific ways - see use case #2 and #3 here:
https://github.com/privacycg/private-click-measurement/issue...
dialtone
There's an approval process to be added to the PSL so abuses would be quite surprising and easy to remove when discovered.
devrand
To make things worse, it's basically impossible to remove a domain from the PSL as no one knows how software built against the PSL would handle it. A removal could break tremendous amount of software that people rely on.
pornel
Reminder that the Public Suffix List is a non-scalable hack, and platforms should be reducing their reliance on it, not increase it:
dwaite
It doesn't really propose an alternative to the PSL for 'same site' behavior, instead just pushes for 'same origin' (aka exact match) behavior.
I would agree that e.g. Apple would be better to support both same-site and same-origin, and say, clobber PCM if it receives a request for one after it has already received a request for the other.
gruez
Can someone provide more context here? How does being added to the PSL affect tracking? Why are businesses adding themselves to the PSL en masse?
twobitshifter
PSL is used to determine the level that a unique domain is registered at. This restricts cookies and privileges to that domain. It’s just a simple list because both .com and .co.uk are valid suffixes. Ios14 is using this list to prevent apps from tracking you across sites by limiting the data that can be stored per site. If you can get your domain recognized as a suffix as mysite.com then you can split information between all higher level domains. client1.mysite.com and client2.mysite.com. This allows you to store as much information as you want.
TechBro8615
The PSL has always been a giant hack and totally unmaintainable in the long term. It's only a matter of time before someone mistakenly relying on it for security purposes gets owned by a rogue PR. Also, as mentioned in some of these issues, browsers don't even update it on any sort of guaranteed schedule.
jakear
The fun thing is you can s/PSL/DNS/g and the statement still holds. Same for BGP
sergiotapia
So much brain power and work wasted on this ad bullshit
amelius
Yes and ads also stimulate over-consumption which hurts the planet.
The solution is to block all ads, or even better, ban them.
layoutIfNeeded
Why are we using a centralized list for determining who's an eTLD and who's not? Why don't we store this metadata in the actual DNS records?
throw14082020
What is a PSL inclusion request? Public Suffix List?
pugworthy
Same question - what is PSL?
My best guess at the moment is Public Suffix List.
kogir
Isn’t the easiest solution here for companies to register their own domain? Why be company.service.tld and not just company.tld? What are these businesses doing for email?
mrweasel
In this case I think the issue is trackers. If you owned a retargeting or tracking service, you might have customer1.retargetting.com and customer2.retargetting.com. Apple will now see these as being the same site, unless individually registered in PSL. This limits the amount of data that can be aggregated by retargetting.com, unless each subdomain is added to PSL.
3np
I think this is it - the only "small businesses" I see being actually hurt (as opposed to slightly inconvenienced) by this would be retargeting and tracking companies.
donmcronald
Yes, it is. The main reason I can think of for using subdomains would be for super low value content that isn’t worth $10-30 / year for a real domain.
There could also be a setup / maintenance angle I guess. Specifying a big list of custom domains is more work than *.example.com.
mangosquash
I work on digital advertising for a franchise where each individual store manages their own shopify site at location.franchise.com. Soon, these sites won't be able to run ads that track purchases, unless franchise.com is added to this list.
I understand the PSL managers' position that this is an unfair burden to place on them though.
donmcronald
Yeah, I didn’t quite understand it correctly at first. That’s a really good example of a legit use case that’s collateral damage from Apple vs Facebook.
I can think of other issues now too. For example, I think government services should be structured as subdomains instead of each department registering a separate domain. This will encourage the use of separate domains if they need to track effectiveness and that’s bad IMO. We don’t want to normalize stuff like irsonline.com because of the boost it gives phishing.
There’s definitely two sides to this one.
local_dev
>these sites won't be able to run ads that track purchases
Isn't that part of the purpose of the changes that Apple is making? As a user, this seems like a great change. Less tracking is a positive.
3np
I think that's precisely according to intentions. Either they're separate entities with separate domains, or they're run by the same entity and get the same entropy.
> Soon, these sites won't be able to run ads that track purchases, unless franchise.com is added to this list.
They still can, though, right? Just that they don't get more bits than if they had everything on one site. It's just that they can't "eat the cake and have it".
Get the top HN stories in your inbox every day.
Summary: Apple introduced PCM [1], and to keep people from using it for cross-site tracking it limits the bits available to a single site (as defined by the PSL). If shop-a.retail.example and shop-b.retail.example are completely separate, and don't want to compete for bits, Apple will still treat them as a single site unless retail.example is on the PSL. Being on the PSL is a big change (partitioned cookies, etc) but could be appropriate for different shops.
FB issued guidance suggesting domains like retail.example consider getting themselves added to the PSL, and now the PSL (a volunteer project) is getting a lot of requests. The PSL project has put these requests on hold, and asked FB and Apple to work this out. FB is talking to Apple in https://github.com/privacycg/private-click-measurement/issue...
[1] https://webkit.org/blog/11529/introducing-private-click-meas...