Expect-CT reports
You could get a report when a browser loaded your site with a TLS certificate that didn't meet the requirements of the browser's Certificate Transparency (CT) policy.
For example Google Chrome requires all publicly-trusted TLS certificates issued after April 30, 2018 to be "CT Qualified" in order to be recognized as valid.
Nowadays, it means that Chrome requires CT on all public sites, so Expect-CT could be used only as a tool to detect misconfigurations.
But CT certificate configuration is almost always done by certification authorities, virtually never by the site owners, so usefulness of Expect-CT as a debugging tool is also very limited.
In October 2022, Chrome removed Expect-CT in version 107. Chrome was also the only browser that had implemented the Expect-CT
support.
The Expect-CT
response header:
Expect-CT: max-age=1800, enforce, report-uri="https://lace.has.report/report"
max-age
: for how many seconds should the browser remember to send violation reports, or enforce the policy-
enforce
: optional, if present, the browser should refuse future connections that violate the CT policy, formax-age
seconds after the reception of theExpect-CT
header – usingenforce
doesn't make sense withmax-age: 0
, also keep in mind some browsers have their own CT requirements that cannot be disabled by simply omittingenforce
or setting a shortmax-age
report-uri
: where to send policy violation reports to, must use HTTPS
Test Expect-CT reporting
It would be quite a feat to get a certificate that would violate for example Chrome's CT policy so there's no "click here to generate the report" button here. Until the feature was removed, Chrome offered to send a test Expect-CT report:
- Go to Chrome's Domain Security Policy debug page: chrome://net-internals/#hsts (you need to copy & paste the link)
- Scroll down to Send test Expect-CT report
- Enter your custom reporting endpoint address https://lace.has.report/report (copy & paste) to the Report URI field
- Hit Send and you should see that the Test report succeeded
- Check your reports
- You'll find one
expect-ct-report
test report forexpect-ct-report.test
host, noscts
and empty certificate chains
Example Expect-CT report
This is how the full report looked like:
{
"expect-ct-report": {
"port": 443,
"scts": [
{
"serialized_sct": "<Base64 Signed Certificate Timestamp data>",
"source": "embedded",
"status": "unknown",
"version": 1
},
{
"serialized_sct": "<Base64 Signed Certificate Timestamp data>",
"source": "embedded",
"status": "unknown",
"version": 1
}
],
"hostname": "expect-ct-report.test",
"date-time": "2020-05-15T23:16:25.889Z",
"served-certificate-chain": [
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n",
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n"
],
"effective-expiration-date": "2020-05-15T23:16:25.889Z",
"validated-certificate-chain": [
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n",
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n",
"-----BEGIN CERTIFICATE-----\n<PEM certificate data>\n-----END CERTIFICATE-----\n"
]
}
}
Related specs & documents
- Expect-CT Extension for HTTP (RFC 9163)
- Known Certificate Transparency logs
- Chrome's CT policy
- Apple's CT policy
- crt.sh Certificate Search