Add sealos.app and regional domains to the PSL

[yangchuansheng]

Added Sealos domains to the public suffix list.

Public Suffix List (PSL) Submission

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _psl TXT record in place in the respective zone(s).

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

• Cloudflare
• Let's Encrypt
• MAKE SURE UPDATE THE FOLLOWING LIST WITH YOUR LIMITATIONS! REMOVE ENTRIES WHICH DO NOT APPLY AS WELL AS REMOVING THIS LINE!

• This request was not submitted with the objective of working around other third-party limits.

• The submitter acknowledges that it is their responsibility to maintain the domains within their section. This includes removing names which are no longer used, retaining the _psl DNS entry, and responding to e-mails to the supplied address. Failure to maintain entries may result in removal of individual entries or the entire section.

• The Guidelines were carefully read and understood, and this request conforms to them.
• The submission follows the guidelines on formatting and sorting.

• A role-based email address has been used and this inbox is actively monitored with a response time of no more than 30 days.

Abuse Contact:

• Abuse contact information (email or web form) is available and easily accessible.

  URL where abuse contact or abuse reporting form can be found:

---

For PRIVATE section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies and cause other issues, and the rollback timing is acceptable. Proceed anyways.

---

Description of Organization

Sealos is a cloud operating system and PaaS provider. We allow users to deploy containerized applications and databases on our platform.

Organization Website: https://sealos.io

Reason for PSL Inclusion

When users deploy services, they are assigned subdomains under our regional domains (e.g., my-app.usw-1.sealos.app). These subdomains are controlled by third-party users and content is untrusted.

We are requesting the addition of sealos.app and its regional subdomains to the Public Suffix List to ensure security isolation (preventing cookie tossing/supercookie issues) between different user applications hosted on the same infrastructure.

Number of users this request is being made to serve: 10000+ users

DNS Verification

dig +short TXT _psl.sealos.app
"https://github.com/publicsuffix/list/pull/2741X"

[pencilnav]

Hi, there are some problems that you'll need to fix before this can get merged.

• sealos.app expires 2027-01-14T04:20:04.499Z (364 days from today) Fails minimum 2-year requirement - domain must be renewed. Can be checked via https://www.registry.google/rdap-lookup/

• <cloud-native-yang@sealos.io> should be replaced to a role-based email.

• An abuse contact wasn't found on your site, is https://sealos.io/contact suppose to have it?

• Should implement redirection from the 4 PSL domains to https://sealos.io/ (for easier abuse reporting)

[pencilnav]

When users deploy services, they are assigned subdomains under our regional domains (e.g., my-app.usw-1.sealos.app). These subdomains are controlled by third-party users and content is untrusted.

Number of users this request is being made to serve: 10000+ users

The requested PSL domain was created a day ago with 5 certificates and 1 subdomain only, so can't really find any useful information.

I did a search on sealos.io using the subdomain finder and crt.sh, and based on the results returned im assuming you are migrating user contents off sealos.io to a seperate domain (sealos.app).

However, there are only 174 subdomains, and roughtly 20 of them using a usw 2LD.

https://crt.sh/?q=sealos.io&dir=^&sort=1&group=icaid
https://crt.sh/?q=usw.sealos.io&dir=^&sort=1&group=icaid
https://crt.sh/?q=usw-1.sealos.io&dir=^&sort=1&group=icaid
https://crt.sh/?q=usw-2.sealos.io&dir=^&sort=1&group=icaid

A historic scan of sealos.io on the subdomain finder shows only 139 domains, the amount of new domains over the past 2 years can hardly support your claim.

---

And also, usw.sealos.io was flagged on virustotal for phishing and other fraud, and 3 of the 4LDs were also flagged on virustotal for phishing and/or being malicious.

https://www.virustotal.com/gui/domain/fhhxsgaemumq.usw.sealos.io
https://www.virustotal.com/gui/domain/fwveufxrmgya.usw.sealos.io
https://www.virustotal.com/gui/domain/yhxozxek.usw.sealos.io

[groundcat]

I did a search on sealos.io using the subdomain finder and crt.sh, and based on the results returned im assuming you are migrating user contents off sealos.io to a seperate domain (sealos.app).

I think they are submitting sealos.app, not sealos.io

[groundcat]

Hi @yangchuansheng

• Do you have a rough estimate of how many users will actually use the sealos.io subdomains?
• Have you considered implementing __Host- prefixed cookies as an initial security measure for your subdomain isolation needs, while also exploring other application-level controls that could provide boundaries between apps without relying on the Public Suffix List?

---

• Expiration (Note: Must STAY >2y at all times)
  • sealos.app - 2028-01-13
• Reasoning/Organization description
  • Organization description
  • 10,000+ users but very few visible subdomains (https://crt.sh/?q=sealos.app&dir=%5E&sort=1&group=icaid, https://www.google.com/search?q=site%3Asealos.app)
  • Not attempting to work around third-party limits
• Non-personal email address
• Abuse contact

[yangchuansheng]

Hi, there are some problems that you'll need to fix before this can get merged.

* sealos.app expires `2027-01-14T04:20:04.499Z (364 days from today)` Fails minimum 2-year requirement - domain must be renewed. `Can be checked via https://www.registry.google/rdap-lookup/`

* `<cloud-native-yang@sealos.io>` should be replaced to a role-based email.

* An abuse contact wasn't found on your site, is https://sealos.io/contact suppose to have it?

* Should implement redirection from the 4 PSL domains to https://sealos.io/ (for easier abuse reporting)

I have addressed all the issues mentioned:

1. Domain Renewal: sealos.app has been renewed and now meets the minimum 2-year validity requirement.
2. Role-based Email: I have updated the entry in the public_suffix_list.dat file, replacing the personal email with a role-based address (contact@sealos.io).
3. Abuse Contact: I have created a dedicated abuse reporting page at https://sealos.io/abuse which contains all necessary contact information.
4. Redirection: I have configured sealos.app and its regional subdomains to redirect to the main landing page (https://sealos.io) to facilitate easier access to platform information and abuse reporting.

Please let me know if there is anything else needed.

[yangchuansheng]

When users deploy services, they are assigned subdomains under our regional domains (e.g., my-app.usw-1.sealos.app). These subdomains are controlled by third-party users and content is untrusted.

Number of users this request is being made to serve: 10000+ users

The requested PSL domain was created a day ago with 5 certificates and 1 subdomain only, so can't really find any useful information.

I did a search on sealos.io using the subdomain finder and crt.sh, and based on the results returned im assuming you are migrating user contents off sealos.io to a seperate domain (sealos.app).

However, there are only 174 subdomains, and roughtly 20 of them using a usw 2LD.

https://crt.sh/?q=sealos.io&dir=^&sort=1&group=icaid https://crt.sh/?q=usw.sealos.io&dir=^&sort=1&group=icaid https://crt.sh/?q=usw-1.sealos.io&dir=^&sort=1&group=icaid https://crt.sh/?q=usw-2.sealos.io&dir=^&sort=1&group=icaid

A historic scan of sealos.io on the subdomain finder shows only 139 domains, the amount of new domains over the past 2 years can hardly support your claim.

And also, usw.sealos.io was flagged on virustotal for phishing and other fraud, and 3 of the 4LDs were also flagged on virustotal for phishing and/or being malicious.

https://www.virustotal.com/gui/domain/fhhxsgaemumq.usw.sealos.io https://www.virustotal.com/gui/domain/fwveufxrmgya.usw.sealos.io https://www.virustotal.com/gui/domain/yhxozxek.usw.sealos.io

Thanks for the thorough investigation.

1. Real Scale and Business Legitimacy:
We are a global PaaS provider operating in multiple regions:

• Global Scale: We serve over 10,000+ paid customers across all our regions (including our large Asia presence which uses domains like hzh.sealos.run, bja.sealos.run, gzg.sealos.run, etc.).
• USW Region (The domain in question): On usw.sealos.io alone, we have 10,000+ registered users and 100+ paid subscribers.

2. Regarding the VirusTotal flags:
This is exactly why we are requesting this change.

Because we offered free tiers on sealos.io without strict domain isolation, bad actors were able to impact our main domain's reputation. We are now migrating to a stricter architecture:

1. Isolation: Moving user content to sealos.app (the PSL request).
2. Better Vetting: We have implemented stricter KYC (Know Your Customer) and payment verification for the new domain to prevent the abuse issues seen on the old domain.

We are trying to do the right thing by separating user content from our brand.

[pencilnav]

I think they are submitting sealos.app, not sealos.io

@groundcat Reason i did the check on sealos.io (their company site) is because im assuming they are moving user sites previously hosted on sealos.io to sealos.app, because sealos.app have only a few certificates issued to that domain and only one active subdomain running in my previous research, also the subdomains running on sealos.io match what they claim that subdomains on sealos.app will work. (sealos.app is the submitted PSL domain)

https://crt.sh/?q=sealos.app&dir=%5E&sort=1&group=icaid
https://subdomainfinder.c99.nl/scans/2026-01-15/sealos.app

https://crt.sh/?q=sealos.io&dir=%5E&sort=1&group=icaid
https://subdomainfinder.c99.nl/scans/2026-01-15/sealos.io

Upon checking sealos.io (with the assumption above) i found only 174 visible subdomains on the subdomain finder, and only a few of them matches what the submitter claimed are for users (usw, usw-1 2LDs).

The goal of that post is to fact check their user count claim in their submission form. If they are moving subdomains off sealos.io to sealos.app then checking subdomains on sealos.io should show their current active user counts, which seemed to be exaggarated (alot).

Number of users this request is being made to serve: 10000+ users

My assumption that they are moving user sites previously hosted on sealos.io to sealos.app was confirmed by the submitter @yangchuansheng .

[simon-friedberger]

If you really want regional domains, could you use a wildcard entry instead?

[pencilnav]

Global Scale: We serve over 10,000+ paid customers across all our regions (including our large Asia presence which uses domains like hzh.sealos.run, bja.sealos.run, gzg.sealos.run, etc.).

USW Region (The domain in question): On usw.sealos.io alone, we have 10,000+ registered users and 100+ paid subscribers.

Moving user content to sealos.app (the PSL request).

@yangchuansheng

• For sealos.io and sealos.app
  https://crt.sh/?q=sealos.io&dir=%5E&sort=1&group=icaid (~1200 ceritifcates issued)
  https://crt.sh/?q=sealos.io&dir=%5E&sort=1&group=icaid&exclude=expired (~150 certificates after excluding all expired certificates)
  https://subdomainfinder.c99.nl/scans/2026-01-15/sealos.io (174 subdomains found)
  https://web.archive.org/web/20260121064335/https://discord.com/invite/wdUn538zVP (1781 discord members with 43 online atm, discord link found on the bottom of their website https://sealos.io/ and saved to archive.org)
  https://crt.sh/?q=sealos.app&dir=%5E&sort=1&group=icaid (~10 certificates)
  https://subdomainfinder.c99.nl/scans/2026-01-15/sealos.app (only 1 subdomain found)

• For sealos.run
  https://crt.sh/?q=sealos.run&dir=%5E&sort=1&group=icaid (~350 ceritifcates issued)
  https://crt.sh/?q=sealos.io&dir=%5E&sort=1&group=icaid&exclude=expired (~70 certificates after excluding all expired certificates)
  https://subdomainfinder.c99.nl/scans/2026-01-15/sealos.run (24 subdomains found)
  https://web.archive.org/web/20260121064325/https://forum.sealos.run/ (Looks like an official forum hosted on their domain, with a registered user count of 1299 but not many posted threads, saved to archive.org)

I have so many questions.

• Are all of your users getting a subdomain? (Because the certificate count for sealos.run, sealos.io and sealos.app are all pretty low after excluding expired certificates)
• Its hard for me to believe that you have 10k paying users with the above results. What are your actual number of users this request is being made to serve? (i.e. active users count. For example in Add corespeed.app #2743 (comment), the author provided the amount of subomains in use, and the amount of users that are using subdomains on the submitted PSL domain.)
• There are standard security practices that work immediately, without waiting months or years for PSL propagation. Have you considered implementing this?

Additionally, cookie isolation between subdomains can be effectively achieved through standard security practices that work immediately, without waiting months or years for PSL propagation: use the __Host- cookie prefix (which enforces Secure, Path=/, and no Domain attribute), implement proper SameSite attributes, and ensure HTTPS across all subdomains. These practices provide strong security boundaries and don't require PSL inclusion. Consider implementing these measures first, then revisiting PSL submission once your platform has demonstrably scaled to serve thousands of active users.

Quoted from @groundcat (#2743 (comment))

Please note per PSL guidelines:

Projects that are smaller in scale or are temporary or seasonal in nature will likely be declined. Examples include private-use, sandbox, test, lab, beta, or other exploratory requests. It should be expected that, regardless of any referral, projects not serving more than thousands of users are quite likely to be declined.