Confirmed users
308
edits
SecurityEngineering/Certificate Transparency: Difference between revisions
Jump to navigation
Jump to search
SecurityEngineering/Certificate Transparency (view source)
Revision as of 20:06, 18 December 2024
, 18 December 2024document enterprise policies for disabling CT for specific hosts/certificates
(rewrite page to reflect current state of CT in Firefox) |
(document enterprise policies for disabling CT for specific hosts/certificates) |
||
| Line 2: | Line 2: | ||
== Certificate Transparency Support in Firefox == | == Certificate Transparency Support in Firefox == | ||
The security engineering team is actively working to implement Certificate Transparency in Firefox. As of version 133, it is enforced in Nightly by default, meaning that every TLS web server certificate must be accompanied by sufficient certificate transparency information for Nightly to connect without showing an error page. | The security engineering team is actively working to implement Certificate Transparency in Firefox. As of version 133, it is enforced in Nightly by default, meaning that every TLS web server certificate must be accompanied by sufficient certificate transparency information for Nightly to connect without showing an error page. As of version 134, it is enforced in Beta by default. | ||
Certificate transparency is controlled by the preference ''security.pki.certificate_transparency.mode''. A value of '''0''' disables CT entirely. '''1''' enables CT, but does not enforce it, allowing Firefox to collect telemetry on the implementation and the ecosystem. Setting this preference to '''2''' causes Firefox to enforce CT for certificates issued by roots in [[CA|Mozilla's Root CA Program]]. | Certificate transparency is controlled by the preference ''security.pki.certificate_transparency.mode''. A value of '''0''' disables CT entirely. '''1''' enables CT, but does not enforce it, allowing Firefox to collect telemetry on the implementation and the ecosystem. Setting this preference to '''2''' causes Firefox to enforce CT for certificates issued by roots in [[CA|Mozilla's Root CA Program]]. | ||
=== Enterprise Policies === | |||
The preference ''security.pki.certificate_transparency.disable_for_hosts'' can be used to disable enforcing CT for specific hosts. To do so, specify any number of entries separated by commas. Each entry of the form '''example.com''' will disable CT for '''example.com''' and all subdomains of that domain. Entries of the form '''.example.com''' will disable CT for '''example.com''' only. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForUrls CertificateTransparencyEnforcementDisabledForUrls]. | |||
The preference ''security.pki.certificate_transparency.disable_for_spki_hashes'' can be used to disable enforcing CT for certificate chains where one of the certificates in the chain has a matching subject public key info. To do so, specify any number of entries separated by commas. Each entry must be the base64-encoded sha-256 hash of a certificate's DER-encoded subject public key info. This is intended to be similar to the Chrome enterprise policy [https://chromeenterprise.google/policies/#CertificateTransparencyEnforcementDisabledForCas CertificateTransparencyEnforcementDisabledForCas]. | |||
Both of these preferences can be set via [https://mozilla.github.io/policy-templates/#preferences policy]. | |||
=== Known CT Logs === | === Known CT Logs === | ||