Do browsers support certificate transparency?

Question

The google's certificate transparency project has been in place for some time, google chrome and mozilla firefox have both claimed to have joined the project, but how do I test if the browser actually suports certificate transparency and the three ways of delivery of SCT?

Answer 1

One of the easiest ways to test whether a browser is checking certificate transparency is to try a known bad site, such as https://invalid-expected-sct.badssl.com. Using this address, Chrome 69 will say the site is insecure, but Safari 12.0 which doesn't perform certificate transparency will let it through.

Chrome's policy can be found at https://github.com/chromium/ct-policy/blob/master/ct_policy.md

Apple are in the process of enforcing certificate transparency with I believe the plan being to roll it out in iOS 12.1.1 and macOS 10.14.2. Their policy can be found at https://support.apple.com/en-us/HT205280

Firefox 63.0.1 doesn't seem to support certificate transparency either although support is built into Firefox I believe it is currently not enforced until some other issues are resolved.

In terms of trying to test the three methods of delivery there is a research project at https://www.ida.liu.se/~nikca89/papers/pam18.html with code available that pulls SCTs for a given list of domains so you should be able to use that to check all 3 ways. To get it working you create a file top-1m.csv with entries for each domain on separate lines prefixed with an ignored numeric value and execute the main function in FirstTestCase. Alternatively you could look at the Conscrypt project although that is more work.