Certificate Transparency is now enforced in Firefox on desktop platforms starting with version 135

5,380 views
Skip to first unread message

Dana Keeler

unread,
Feb 4, 2025, 2:54:28 PMFeb 4
to dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org
Hi folks,

Certificate Transparency is an important part of the web PKI that enables the detection of misissued certificates. Starting in Firefox 135, Certificate Transparency is now enforced on all desktop platforms. This means that Firefox now requires that TLS web server certificates issued from roots in Mozilla's Root CA program be accompanied by sufficient Certificate Transparency information (essentially, 2 SCTs) in order for TLS connections to succeed. Otherwise, Firefox will show the error "

In practice, this should require no particular changes on the part of website operators. If your site works in Chrome and Safari, it should work in Firefox as well. However, if you were making use of policies to exempt certain internal certificates or domains from CT, you will need to apply those policies to Firefox as well. See https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#Enterprise_Policies

If you encounter any issues, please let us know or file a bug directly: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM

Thank you,
Dana

Bas Westerbaan

unread,
Feb 4, 2025, 2:58:13 PMFeb 4
to Dana Keeler, dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org
Congratulations! This is an important achievement. Thank you for the hard work.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAHP1u2ibhTB4r5YMZ6GNGo4Cr%2B5HQN3w-ULip6_ayX1aAzsH7A%40mail.gmail.com.

Matthew McPherrin

unread,
Feb 4, 2025, 4:05:16 PMFeb 4
to dev-secur...@mozilla.org, Dana Keeler, dev-pl...@mozilla.org, enter...@mozilla.org
Congratulations!

As a CT log operator, do I need to begin submitting my new logs to Firefox, or will you take logs from the other programs?
As a CA, do you have a list of supported logs that we can validate against?

Thanks,

Matthew McPherrin
Let's Encrypt SRE

Jan Schaumann

unread,
Feb 4, 2025, 4:16:05 PMFeb 4
to Dana Keeler, dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org
> Certificate Transparency is now enforced on all desktop platforms.

This is great news!

Could you clarify how this applies to custom CAs? The
language in your email could, I believe, be
interpreted in different ways:

> This means that Firefox now requires that TLS web
> server certificates issued from roots in Mozilla's
> Root CA program

This part suggests to me that this _only_ applies to
the CAs in the root program as shipped by Mozilla.
I.e., if I add my custom CA, certs issued by that will
_not_ be subject to this requirement.

> However, if you were making use of policies to
> exempt certain internal certificates or domains from
> CT, you will need to apply those policies to Firefox
> as well.

But this statement suggests that for my custom CA I
_do_ need to take action.

Sorry if this is obvious to everybody else, but if you
could clarify, that'd be much appreciated.

Thanks!
-Jan

Dana Keeler

unread,
Feb 4, 2025, 4:42:17 PMFeb 4
to Matthew McPherrin, dev-secur...@mozilla.org, enter...@mozilla.org
> As a CT log operator, do I need to begin submitting my new logs to Firefox, or will you take logs from the other programs?
> As a CA, do you have a list of supported logs that we can validate against?

Currently Firefox derives the list of trusted logs from Google's list: https://www.gstatic.com/ct/log_list/v3/log_list.json
Should this ever change, we'll give plenty of notice.
To see what logs are in a particular version of Firefox, you can examine the history of https://searchfox.org/mozilla-central/source/security/ct/CTKnownLogs.h

Dana Keeler

unread,
Feb 4, 2025, 4:50:32 PMFeb 4
to Jan Schaumann, dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org
> Could you clarify how this applies to custom CAs?

For CAs that are not part of Mozilla's Root CA program (in other words, CAs that are not built-ins shipped with Firefox), no certificate transparency information is required (in other words, for your custom CA, no action should be needed).
The use of policies to exempt internal certificates or domains applies to situations where a publicly-trusted CA was used to issue certificates for domains that are intended to be internal to an organization.

Jan Schaumann

unread,
Feb 4, 2025, 4:51:21 PMFeb 4
to Dana Keeler, dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org
Dana Keeler <dke...@mozilla.com> wrote:
> > Could you clarify how this applies to custom CAs?
>
> For CAs that are not part of Mozilla's Root CA program (in other words, CAs
> that are not built-ins shipped with Firefox), no certificate transparency
> information is required (in other words, for your custom CA, no action
> should be needed).
> The use of policies to exempt internal certificates or domains applies to
> situations where a publicly-trusted CA was used to issue certificates for
> domains that are intended to be internal to an organization.

Thanks, that makes it clear.

-Jan

Jeremy Rowley

unread,
Feb 4, 2025, 5:50:00 PMFeb 4
to Jan Schaumann, Dana Keeler, dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org
I realize ekr is no longer part of Mozilla, but I am wondering on your thoughts on his previous dislike for CT? 

How did you overcome his criticisms? Did Mozilla just accept the CT shortcomings? I like CT personally, but I found his criticisms interesting and wanted to hear more about any discussion/decisions related to them. 

Congrats as well!

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Dana Keeler

unread,
Feb 4, 2025, 6:22:20 PMFeb 4
to Jeremy Rowley, Jan Schaumann, dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org
Personally, I don't think I fundamentally disagree with anything in that blog post. Much of the criticism seems to involve how complicated the design is in contrast to the relatively weak security properties we actually get out of the system as deployed. It helps that as a browser, we don't have to do the complicated Merkle tree stuff - we can just verify the SCTs as counter-signatures. That said, in the future we may want to run our own log, but that's a discussion for another time. Also, we should probably investigate some sort of privacy-preserving auditing mechanism, but again that's future work. I think our position can be summed up as "CT: Still Useful", as ekr says.

Pierre Barre

unread,
Jun 18, 2025, 10:54:25 AMJun 18
to dev-secur...@mozilla.org, Jeremy Rowley, Dana Keeler, dev-secur...@mozilla.org, dev-pl...@mozilla.org, enter...@mozilla.org, Jan Schaumann
Hello,
 
I am quite late to the party on this thread, but having recently implemented a CT log (https://github.com/Barre/compact_log), ekr's blog post was actually one of the things that I had on my mind while designing.

Reading his post, most of the issues he raises are about specific implementation choices. 
The SCT-as-promise problem exists because traditional logs issue SCTs immediately then incorporate certificates later. CompactLog does it the other way around - certificates go into the Merkle tree first, then issue the SCT. Zero MMD, no promises involved.

Same with the operational complexity - logs struggling with 24-hour deadlines and having outages. CompactLog handles 3-4K certificates/second with P99 latencies under 1 second, no background processing needed. The synchronous design eliminates entire classes of timing-related failures.

The one valid criticism that remains is browsers not verifying inclusion proofs by default. But there's an interesting middle ground here: systematic cross-validation between logs. Since browsers already require 2-3 SCTs from different logs, certificates are seen by multiple logs anyway. When Log A sees a certificate with SCTs from Logs B and C, it can verify that certificate actually appears in their trees. This changes the attack model significantly - instead of just finding 2-3 colluding logs, an attacker must ensure their phantom certificate *never* reaches any honest log through monitors, crawlers, or third-party submissions. With 6 trusted logs, attacking a system requiring 2 SCTs means evading detection by all 4 non-colluding logs indefinitely. Combined with domain-specific monitoring, this creates multiple independent detection layers without the privacy concerns of client-side verification.

From an implementer's perspective, CT delivers what it promises - a verifiable log of all certificates. The fact that browsers choose to trust SCTs rather than verify proofs doesn't diminish the value of having that verifiable log.

Best,
Pierre
Reply all
Reply to author
Forward
0 new messages