Can't understand behavior of Expect-CT header

[Sanjay kumar]

Hello,

After knowing that Chrome 61beta includes support for Expect-CT header, I tried to implement it to study its behavior. I deliberately sent wrong SCTs from my server, and added Expect-CT header as max-age=3600, enforce, report-uri="https://mydomain/report".

Upon sending request to my server from Chrome 61beta, I received the report to my domain. However, subsequent connections to my domain didn't fail as expected( since the SCTs were wrong).

Also, in the report i received, the json key effective-expiration-date had the value 1601-01-01T00:00:00.000Z. Does this mean that my domain is never added as Known CT Host, and hence Chrome doesn't show any warning as it is always a First-Visit.

Please clarify upon where I am wrong.

Thanks,

Sanjay

[Emily Stark]

Hi Sanjay,

The browser will only note a host as a Known Expect-CT Host if it receives the header over a CT-compliant connection. This is to prevent misconfigured sites from accidentally persistently breaking themselves. In other words, the site must "prove" to the browser that it knows how to do CT properly before the browser will remember it as an Expect-CT host. See "If the connection does not comply..." in https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02#section-2.3.1. The browser does still send a report when it receives an Expect-CT header over a non-CT-compliant connection to alert the site owner that the site is misconfigured.

Hope that helps! Also note that an upcoming version of Chrome Canary (62.0.3189.0 and later) will allow you to query Expect-CT state in chrome://net-internals#hsts to hopefully make this kind of behavior more debuggable.

Emily