Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable certificate transparency enforcement #3242

Open
1 task done
dot-gov opened this issue Mar 13, 2025 · 2 comments · May be fixed by #3243
Open
1 task done

Enable certificate transparency enforcement #3242

dot-gov opened this issue Mar 13, 2025 · 2 comments · May be fixed by #3243
Labels
enhancement help wanted need info Need feedback to proceed

Comments

@dot-gov
Copy link
Contributor

dot-gov commented Mar 13, 2025

Description

Enable certificate transparency enforcement

Who's implementing?

  • I'm willing to implement this feature myself

The problem

Certificate transparency isn't enforced. You can check for this by using a test site like https://no-sct.badssl.com/. On chrome this results in an error, but on ungoogled-chromium it loads fine.

Enabling this enhances security because it makes it more difficult for misissued certificates to go undetected. Most browsers enforce certificate transparency, so ungoogled-chromium benefits from some "herd immunity", but it's still better to enforce it ourselves than to rely on that.

Possible solutions

The comment in chromium source code suggests this requires a bunch of work:

// Enables Certificate Transparency on Desktop and Android Browser (CT is
// disabled in Android Webview, see aw_browser_context.cc).
// Enabling CT enforcement requires maintaining a log policy, and the ability to
// update the list of accepted logs. Embedders who are planning to enable this
// should first reach out to [email protected].

But I toggled that FEATURE_ENABLED_BY_DEFAULT, and it seems to work as expected with no further changes.

Alternatives

No response

Additional context

No response
@networkException
Copy link
Member

networkException commented Mar 13, 2025
edited
Loading

I assume the comment is about embedding chromium, whats mentioned there (log policy, etc.) should already be done by upstream for desktop browsing.

@networkException
Copy link
Member

Having this gated with GOOGLE_CHROME_BRANDING seems very weird to me

@PF4Public PF4Public added the need info Need feedback to proceed label Mar 14, 2025
@dot-gov dot-gov linked a pull request Mar 14, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted need info Need feedback to proceed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable Certificate Transparency Enforcement dot-gov/ungoogled-chromium
3 participants
@PF4Public @dot-gov @networkException