A big step for web security

Certificate (CT) transparency is one of the largest web security improvements, which are kept users from threats such as certificate attacks and people attacking the certificate. While CT includes more than 11 years, there is implementation varied in browsers.

Firefox currently implements certificate transparency On desktop platformsGet an important step toward a safe web. With this change, effective in version 135, Firefox reject certificates without following CT requirements. This ensures all browser-based certificates meet high transparency patterns.

What does this mean for website owners?

This ensures that any TLS certificate is credited with Firefox logged and publicly arrested in a certificate of transparency log. If your website has already followed the best works and used CT conferences – you don’t have to do more action. However, if you are unsure, here are some steps you can do:

1. Ensure your Authority in Certificate (CA) supports CT logging – Most of the main cases followed, but if you are using an unusual ca, verify their situation.

2. Monitor your certificates – Use certificate transparency Monitoring services and tools To ensure that there are no unauthorized authentication certificates in Firefox and Other CT enforced user agents Issued for your domain.

Action at Firefox Ct

Certificate transparency information can be delivered either:

• signed certificate timestamps (SIP-SIP) attached to the certificate itself, or

• SCTs start adjacent to the certificate (through TLS handshake or an OCSP response).

For a connection to succeed, sufficient certificate transparency information must be supplied using either of these methods. see Firefox CT policy For more details.

You can see CT enforcement action for yourself using ‘https: //no-sct.badssl.cwhen‘Test site which if accessed from Firefox v135 shows the error “mozilla_pkix_error_insufficient_certificate_transparency” to reflect the fact that the server does not send a signed certificate timestamp (SCT) for the domain of the test site.

Image by Matthew McPherrin in Bluesky

Firefox logs of CT logs

CT Support in a browser requires determining colds from an approved set of logs in Ct. It presents an issue of surgical surgery especially when the logs come in CT and go over time. Each browser enforces CT positioned their own user agent policy for log configuration. For CT in Firefox:

• The list of known trusted logs is obtained from Chrome list and automatically updated weekly with firefox versions of prerelease. This means that CT log operators should not submit new logs in Firefox.

• To find out which logs are in a particular version of Firefox, you can check the history of Known CT logs.

To determine more about Firefox CT policies, see FireFox transparency

Firefox-based logs and tiles

As the Certificate Transparency Community Works towards tile-based logs – Support Static-CT ACI The logs in addition to RFC6962 logs – questions that arise when Firefox follows. In the Police list of Mozilla Dev-Security-way, Dana Keeler gives a positive hint that Mozilla is open in this procedure. Keeler said: “If it is clearly supporting static-CT-api logs should be moved, we may also allow them.“

Last thought

Firefox certificate enforcement of Firefox marks a major step in front of web security. In all major browsers now require certificates logged in to CT logs, it is more difficult for those who attack the certificates of abuse users. For website owners, it is a reminder to remain careful and monitoring the logs of CT for certificates covering their domains.

Wider, the certificate transparency continues to increase and claim to adopt the entire industry. While browsers also start to see tile-based logs, CT ecosystem is increasingly strong, secure more transparency and security for the web.