Certificate Transparency

Certificate Transparency is a new layer of security on top of TLS ecosystem. It is mandatory in Chrome for new certificates since 2017. This Firefox plugin makes the browser compatible with Certificate Transparency checking the SCT (Signed Certificate Timestamp) embedded in the certificates that protects the webs the user visits.

A certificate is considered “logged” if it counts with a SCT (Signed Certificate Timestamp). This SCT is given to the owner of the certificate when logged, and the browser has to verify it is real and current. This is exactly what Chrome has been doing for a while now. Now Firefox, thanks to this plugin, is able to check the SCT for certificates.

Our plugin works with lots of logs. It means that it does not matter from which log the SCT comes from, we will be able to check it because we have introduced the public key and address of basically all known logs so far:

Google ‘Pilot’, Google ‘Aviator’, DigiCert Log Server, Google ‘Rocketeer’, Certly.IO, Izenpe, Symantec, Venafi, WoSign, WoSign ctlog, Symantec VEGA, CNNIC CT, Wang Shengnan GDCA , Google ‘Submariner’, Izenpe 2nd, StartCom CT, Google ‘Skydiver’, Google ‘Icarus’ , GDCA, Google ‘Daedalus’, PuChuangSiDa, Venafi Gen2 CT, Symantec SIRIUS and DigiCert CT2.

SCT may be delivered by three different ways:
- Embedded in the certificate
- With a TLS extension
- In OCSP

It is not easy from a plugin technical perspective to get to TLS or OCSP extensions layer and check the SCT. Even for Mozilla engineers. Our plugin so far checks for SCT embedded in the certificate itself. Although not ideal, this is the most common scenario so most of certificates distribute its SCT embedded.