Certificate Transparency

Certificate Transparency is a new layer of security on top of TLS ecosystem

Technology description

Certificate Transparency is a new layer of security on top of TLS ecosystem. It is mandatory in Chrome for new certificates since 2017. This Firefox plugin makes the browser compatible with Certificate Transparency checking the SCT (Signed Certificate Timestamp) embedded in the certificates that protects the webs the user visits.

Functionalities

A certificate is considered “logged” if it counts with a SCT (Signed Certificate Timestamp). This SCT is given to the owner of the certificate when logged, and the browser has to verify it is real and current. This is exactly what Chrome has been doing for a while now. Now Firefox, thanks to this plugin, is able to check the SCT for certificates.

Our plugin works with lots of logs. It means that it does not matter from which log the SCT comes from, we will be able to check it because we have introduced the public key and address of basically all known logs so far:

Google ‘Pilot’, Google ‘Aviator’, DigiCert Log Server, Google ‘Rocketeer’, Certly.IO, Izenpe, Symantec, Venafi, WoSign, WoSign ctlog, Symantec VEGA, CNNIC CT, Wang Shengnan GDCA , Google ‘Submariner’, Izenpe 2nd, StartCom CT, Google ‘Skydiver’, Google ‘Icarus’ , GDCA, Google ‘Daedalus’, PuChuangSiDa, Venafi Gen2 CT, Symantec SIRIUS and DigiCert CT2.

SCT may be delivered by three different ways:
- Embedded in the certificate
- With a TLS extension
- In OCSP

It is not easy from a plugin technical perspective to get to TLS or OCSP extensions layer and check the SCT. Even for Mozilla engineers. Our plugin so far checks for SCT embedded in the certificate itself. Although not ideal, this is the most common scenario so most of certificates distribute its SCT embedded.
Certificate Transparency
Innovation Technologies

EmetRules

A simple command line tool that creates a configuration for importing into EMET, so that the user does not need to take any action.

Pin Patrol for Chrome

A tool for improving the experience using HSTS and HPKP in Chrome. It shows this information in a human readable way, from your own browser or from any other.

Pin Patrol for Firefox

Firefox extension that shows in a readable format, the state of HSTS (HTTP Strict Transport Security) and HPKP (HTTP Public Key Pins) domains stored by the browser.