Intent to Deprecate and Remove: Expect-CT

162 views
Skip to first unread message

Emily Stark

unread,
Jul 8, 2022, 12:31:06 PMJul 8
to blink-dev

Contact emails

est...@chromium.org

Explainer

None

Specification

https://datatracker.ietf.org/doc/rfc9163

Summary

Expect-CT is an HTTP header that allowed websites to opt in to Certificate Transparency enforcement before it was enforced by default. It also has reporting functionality to help developers discover CT misconfigurations.



Blink component

Internals>Network>DomainSecurityPolicy

Motivation

Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern.



Initial public proposal

https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ

TAG review

n/a

TAG review status

Not applicable

Risks



Interoperability and Compatibility


No other browser has implemented Expect-CT or given signals that they intend to (to my knowledge). Expect-CT is not user-visible so removing the feature has no compatibility risk. Developers who are currently sending the header should stop doing so just to save the bytes on the wire.

While the header is served on a large percent of requests (~6%), this is likely due to a small number of large providers that can be informed of the deprecation via 1:1 outreach. As described above, the header serves no security value any longer, removing it will have no user-visible effects, and the header provides extremely minimal debugging value to developers since developers are no longer responsible for serving their own CT information (100.00% of requests serve CT information directly embedded in the certificate, which developers are not responsible for configuring).

Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Debuggability

We'll add a console message informing developers that the header will/has no effect and they should remove it.

Is this feature fully tested by web-platform-tests?

No

Flag name



Requires code in //chrome?

False

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6244547273687040

This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Jul 8, 2022, 12:34:29 PMJul 8
to Emily Stark, blink-dev
What deprecation/removal timelines did you have in mind?

On Fri, Jul 8, 2022 at 6:31 PM Emily Stark <est...@chromium.org> wrote:

Contact emails

est...@chromium.org

Explainer

None

Specification

https://datatracker.ietf.org/doc/rfc9163

Summary

Expect-CT is an HTTP header that allowed websites to opt in to Certificate Transparency enforcement before it was enforced by default. It also has reporting functionality to help developers discover CT misconfigurations.



Blink component

Internals>Network>DomainSecurityPolicy

Motivation

Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern.



Initial public proposal

https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ

TAG review

n/a

TAG review status

Not applicable

Risks



Interoperability and Compatibility


No other browser has implemented Expect-CT or given signals that they intend to (to my knowledge). Expect-CT is not user-visible so removing the feature has no compatibility risk. Developers who are currently sending the header should stop doing so just to save the bytes on the wire.

While the header is served on a large percent of requests (~6%), this is likely due to a small number of large providers that can be informed of the deprecation via 1:1 outreach.

Are you planning to wait for usage to drop as a result of this outreach? Or are you fairly confident that removing will not break content due to some weird server side reliance on the header?
 
As described above, the header serves no security value any longer, removing it will have no user-visible effects, and the header provides extremely minimal debugging value to developers since developers are no longer responsible for serving their own CT information (100.00% of requests serve CT information directly embedded in the certificate, which developers are not responsible for configuring).

Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Debuggability

We'll add a console message informing developers that the header will/has no effect and they should remove it.

Is this feature fully tested by web-platform-tests?

No

Flag name



Requires code in //chrome?

False

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6244547273687040

This intent message was generated by Chrome Platform Status.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPP_2SbFjjX-AEv7bUEqOcgp8JTy5t9CoYHproGe0WkJGSY3Pg%40mail.gmail.com.

Emily Stark

unread,
Jul 8, 2022, 12:41:59 PMJul 8
to Yoav Weiss, Emily Stark, blink-dev
On Fri, Jul 8, 2022 at 9:34 AM Yoav Weiss <yoav...@chromium.org> wrote:
What deprecation/removal timelines did you have in mind?

Since there's no user-visible impact, I was hoping to do a console message in M105 and then remove in M106.

On Fri, Jul 8, 2022 at 6:31 PM Emily Stark <est...@chromium.org> wrote:

Contact emails

est...@chromium.org

Explainer

None

Specification

https://datatracker.ietf.org/doc/rfc9163

Summary

Expect-CT is an HTTP header that allowed websites to opt in to Certificate Transparency enforcement before it was enforced by default. It also has reporting functionality to help developers discover CT misconfigurations.



Blink component

Internals>Network>DomainSecurityPolicy

Motivation

Expect-CT was designed to help transition to universal Certificate Transparency (CT) enforcement, by allowing high-value websites to opt in to CT enforcement/reporting for better security before CT enforcement was required (by Chrome) on all public websites. However, Expect-CT has now outlived its usefulness. Chrome requires CT on all public websites now, so there is no security value to Expect-CT anymore. Expect-CT was also designed to help site owners discover CT-related misconfigurations; however, now that CT is universally required, CT is generally configured in websites' certificates by certificate authorities and virtually never configured by individual site owners, thus Expect-CT has very limited value as a misconfiguration/debugging tool anymore either. No other browser has implemented Expect-CT so removing it is not an interoperability concern.



Initial public proposal

https://groups.google.com/a/chromium.org/g/blink-dev/c/tgn5R-58iek/m/Q6YCnu0RFQAJ

TAG review

n/a

TAG review status

Not applicable

Risks



Interoperability and Compatibility


No other browser has implemented Expect-CT or given signals that they intend to (to my knowledge). Expect-CT is not user-visible so removing the feature has no compatibility risk. Developers who are currently sending the header should stop doing so just to save the bytes on the wire.

While the header is served on a large percent of requests (~6%), this is likely due to a small number of large providers that can be informed of the deprecation via 1:1 outreach.

Are you planning to wait for usage to drop as a result of this outreach? Or are you fairly confident that removing will not break content due to some weird server side reliance on the header?

I would be very very surprised if the removal caused any breakage, so I think we can go ahead with the removal without waiting for usage to drop. The outreach is really just a heads-up to allow websites to save some bytes on serving the header and turn down any infrastructure they have in place for receiving reports, but the feature is essentially a no-op right now so removing it shouldn't cause any breakage.

Yoav Weiss

unread,
Jul 8, 2022, 12:44:27 PMJul 8
to Emily Stark, blink-dev
LGTM1 to deprecate and remove.
Please roll out the removal carefully. I'd similarly be surprised if the removal causes breakage, but I have been surprised before, so.. :)

Mike West

unread,
Jul 11, 2022, 8:08:18 AMJul 11
to Yoav Weiss, Emily Stark, blink-dev
LTGM2. Good luck with the removal.

-mike


Mike Taylor

unread,
Jul 11, 2022, 9:45:20 AMJul 11
to Mike West, Yoav Weiss, Emily Stark, blink-dev

Joe Medley

unread,
Jul 11, 2022, 12:09:44 PMJul 11
to Emily Stark, blink-dev
Emily,

In which milestone will this be removed?

Joe
Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195
If an API's not documented it doesn't exist.


--

Emily Stark

unread,
Jul 12, 2022, 4:52:50 PMJul 12
to Joe Medley, Emily Stark, blink-dev
Hi Joe -- I'm planning to deprecate in M105 and remove in M106.

Emily Stark

unread,
Jul 19, 2022, 1:59:42 PMJul 19
to Emily Stark, Joe Medley, blink-dev
Update: this will likely now be deprecated in M106 and removed in M107; using the Deprecation Reporting mechanism is proving to be significantly more complicated than I expected.
Reply all
Reply to author
Forward
0 new messages