Intent to Deprecate and Remove: Expect-CT
Emily Stark
Contact emails
est...@chromium.orgExplainer
NoneSpecification
https://datatracker.ietf.org/doc/rfc9163Summary
Expect-CT is an HTTP header that allowed websites to opt in to Certificate Transparency enforcement before it was enforced by default. It also has reporting functionality to help developers discover CT misconfigurations.
Blink component
Internals>Network>DomainSecurityPolicyMotivation
Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern.
Initial public proposal
https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJTAG review
n/aTAG review status
Not applicableRisks
Interoperability and Compatibility
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
Debuggability
We'll add a console message informing developers that the header will/has no effect and they should remove it.Is this feature fully tested by web-platform-tests?
NoFlag name
Requires code in //chrome?
FalseEstimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6244547273687040
Yoav Weiss
Contact emails
est...@chromium.orgExplainer
NoneSpecification
https://datatracker.ietf.org/doc/rfc9163Summary
Expect-CT is an HTTP header that allowed websites to opt in to Certificate Transparency enforcement before it was enforced by default. It also has reporting functionality to help developers discover CT misconfigurations.
Blink component
Internals>Network>DomainSecurityPolicyMotivation
Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern.
Initial public proposal
https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJTAG review
n/aTAG review status
Not applicableRisks
Interoperability and Compatibility
No other browser has implemented Expect-CT or given signals that they intend to (to my knowledge). Expect-CT is not user-visible so removing the feature has no compatibility risk. Developers who are currently sending the header should stop doing so just to save the bytes on the wire.While the header is served on a large percent of requests (~6%), this is likely due to a small number of large providers that can be informed of the deprecation via 1:1 outreach.
As described above, the header serves no security value any longer, removing it will have no user-visible effects, and the header provides extremely minimal debugging value to developers since developers are no longer responsible for serving their own CT information (100.00% of requests serve CT information directly embedded in the certificate, which developers are not responsible for configuring).
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
Debuggability
We'll add a console message informing developers that the header will/has no effect and they should remove it.Is this feature fully tested by web-platform-tests?
NoFlag name
Requires code in //chrome?
FalseEstimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6244547273687040This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com.
Emily Stark
What deprecation/removal timelines did you have in mind?
On Fri, Jul 8, 2022 at 6:31 PM Emily Stark <est...@chromium.org> wrote:Contact emails
est...@chromium.orgExplainer
NoneSpecification
https://datatracker.ietf.org/doc/rfc9163Summary
Expect-CT is an HTTP header that allowed websites to opt in to Certificate Transparency enforcement before it was enforced by default. It also has reporting functionality to help developers discover CT misconfigurations.
Blink component
Internals>Network>DomainSecurityPolicyMotivation
Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern.
Initial public proposal
https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJTAG review
n/aTAG review status
Not applicableRisks
Interoperability and Compatibility
No other browser has implemented Expect-CT or given signals that they intend to (to my knowledge). Expect-CT is not user-visible so removing the feature has no compatibility risk. Developers who are currently sending the header should stop doing so just to save the bytes on the wire.While the header is served on a large percent of requests (~6%), this is likely due to a small number of large providers that can be informed of the deprecation via 1:1 outreach.Are you planning to wait for usage to drop as a result of this outreach? Or are you fairly confident that removing will not break content due to some weird server side reliance on the header?
Yoav Weiss
Mike West
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWPRsmX5O9pxzVkXCqWDqtTQwWkO0b-2EHh-1ZC5A6LzA%40mail.gmail.com.
Mike Taylor
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdCC5kWim0Eo4vYdmXMuZOX4FD-LDg17VkM_txhg-Xgrg%40mail.gmail.com.
Joe Medley
--