Certificate Transparency enforcement in Firefox

583 views
Skip to first unread message

Rob Stradling

unread,
Oct 16, 2024, 6:27:12 AMOct 16
to dev-secur...@mozilla.org
If I understand correctly from Bug 1921525, CT enforcement just landed in Firefox Nightly.  Congratulations, Mozilla team!  I have questions though...

Am I correct that Firefox Nightly is currently using this hard-coded log list, meaning that log list changes will be tied to browser releases?
If so, may I ask if Mozilla plans to implement a dedicated log list update mechanism, perhaps based on a JSON feed as both Chrome and Apple have done?

Does Mozilla have a CT Policy yet?  This wiki page from 2015 is the only documentation I could find.

Does Mozilla have a CT Log Policy yet?

Chrome is working towards allowing static-ct-api logs in addition to RFC6962 logs.  Does Mozilla plan to do the same?

--
Rob Stradling
Distinguished Engineer
Sectigo Limited

Matthew McPherrin

unread,
Oct 16, 2024, 1:22:53 PMOct 16
to Rob Stradling, dev-secur...@mozilla.org
It appears that Firefox has a 12-week time-gate on enforcement:

This is two weeks longer than Chrome's 70 day enforcement gate, which seems like it could potentially cause issues, assuming CAs are looking at Apple and Google's "Usable" state only. I think in practice logs are "usable" well in advance of their submission windows, so this may cause a tricky-to-diagnose edge case for Firefox users that only happens rarely.



--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472996175CFFA847A788DF44AA462%40MW4PR17MB4729.namprd17.prod.outlook.com.

Ryan Hurst

unread,
Oct 16, 2024, 4:30:19 PMOct 16
to Matthew McPherrin, Rob Stradling, dev-secur...@mozilla.org

I agree. Unfortunately, an extension of this period essentially slows down the agility of the CT ecosystem. I hope the implementers of this work sync with the Chrome and Apple teams to understand the reasons behind some of their implementation behaviors so they can be taken into consideration. For example, I believe both turn off CT enforcement after some time due to past issues. Regardless, I am happy to finally see this work proceed and wish the Mozilla team success in this journey.


Dana Keeler

unread,
Oct 16, 2024, 5:14:26 PMOct 16
to dev-secur...@mozilla.org
Thank you everyone for your interest!

On Wed, Oct 16, 2024 at 3:27 AM 'Rob Stradling' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
If I understand correctly from Bug 1921525, CT enforcement just landed in Firefox Nightly.  Congratulations, Mozilla team!  I have questions though...

Am I correct that Firefox Nightly is currently using this hard-coded log list, meaning that log list changes will be tied to browser releases?

Yes, that is currently the case.
 
If so, may I ask if Mozilla plans to implement a dedicated log list update mechanism, perhaps based on a JSON feed as both Chrome and Apple have done?

We are considering such a mechanism.
 
Does Mozilla have a CT Policy yet?  This wiki page from 2015 is the only documentation I could find.

Currently our CT Policy is equivalent to Chrome's (and is thus compatible with Apple's).
That wiki page is very out-of-date and will be updated.
 

Does Mozilla have a CT Log Policy yet?

Mozilla does not yet have a CT Log Policy. The implementation currently considers logs acceptable in Chrome to be acceptable in Firefox. We may develop a more formal position in the future.
 

Chrome is working towards allowing static-ct-api logs in addition to RFC6962 logs.  Does Mozilla plan to do the same?

If it becomes clear that supporting static-ct-api logs is necessary to interoperate, we will probably allow them as well.

On Wed, Oct 16, 2024 at 1:30 PM Ryan Hurst <ryan....@gmail.com> wrote:

I agree. Unfortunately, an extension of this period essentially slows down the agility of the CT ecosystem. I hope the implementers of this work sync with the Chrome and Apple teams to understand the reasons behind some of their implementation behaviors so they can be taken into consideration. For example, I believe both turn off CT enforcement after some time due to past issues. Regardless, I am happy to finally see this work proceed and wish the Mozilla team success in this journey.


On Wed, Oct 16, 2024 at 10:22 AM 'Matthew McPherrin' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
It appears that Firefox has a 12-week time-gate on enforcement:

This is two weeks longer than Chrome's 70 day enforcement gate, which seems like it could potentially cause issues, assuming CAs are looking at Apple and Google's "Usable" state only. I think in practice logs are "usable" well in advance of their submission windows, so this may cause a tricky-to-diagnose edge case for Firefox users that only happens rarely.

Yes, one would hope that we wouldn't negatively impact the agility of the ecosystem. I'm sure we can find a way to rectify this misalignment.

Matthew McPherrin

unread,
Oct 17, 2024, 10:47:55 AMOct 17
to Dana Keeler, dev-secur...@mozilla.org
I see you've landed a patch changing 12 to 10 weeks: https://bugzilla.mozilla.org/show_bug.cgi?id=1925127

Thanks for the prompt update, and congratulations again on enabling this in Nightly!

On Wed, Oct 16, 2024 at 5:14 PM 'Dana Keeler' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
This is two weeks longer than Chrome's 70 day enforcement gate, which seems like it could potentially cause issues
Yes, one would hope that we wouldn't negatively impact the agility of the ecosystem. I'm sure we can find a way to rectify this misalignment.
Reply all
Reply to author
Forward
0 new messages