Unsere Freiwilligen haben diesen Artikel noch nicht in Deutsch übersetzt. Machen Sie mit und helfen Sie, das zu erledigen!
Sie können den Artikel auch auf English (US) lesen.
The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed.
CT requirements can be satisfied by servers via any one of the following mechanisms:
- X.509v3 certificate extension to allow embedding of signed certificate timestamps issued by individual logs
- A TLS extension of type
signed_certificate_timestampsent during the handshake - Supporting OCSP stapling (that is, the
status_requestTLS extension) and providing aSignedCertificateTimestampList
When a site enables the Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.
Browsers ignore the Expect-CT header when sent over HTTP, the header only has effect on HTTPS connections.
| Header type | Response header |
|---|---|
| Forbidden header name | yes |
Syntax
Expect-CT: report-uri="<uri>",
enforce,
max-age=<age>
Directives
max-age-
Specifies the number of seconds after reception of the
Expect-CTheader field during which the user agent should regard the host from whom the message was received as a known Expect-CT host.If a cache receives a value greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider the value to be either 2147483648 (2^31) or the greatest positive integer it can conveniently represent.
report-uri="<uri>"Optional-
Specifies the URI to which the user agent should report Expect-CT failures.
When both theenforcedirective and thereport-uridirective are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported. enforceOptional-
Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.
When both the
enforcedirective and thereport-uridirective are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
Example
The following example specifies enforcement of Certificate Transparency for 24 hours and reports violations to foo.example.
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"
Notes
Root CAs manually added to the trust store override and suppress Expect-CT reports/enforcement.
Browsers will not remember an Expect-CT policy, unless the site has 'proven' it can serve a certificate satisfying the certificate transparency requirements. Browsers implement their own trust model regarding which CT logs are considered trusted for the certificate to have been logged to.
Builds of Chrome are designed to stop enforcing the Expect-CT policy 10 weeks after the installation's build date.
Specifications
| Specification | Title |
|---|---|
| Internet Draft | Expect-CT Extension for HTTP |
Browser compatibility
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Expect-CT | Chrome
Full support
61
| Edge ? | Firefox ? | IE ? | Opera Full support 48 | Safari ? | WebView Android No support No | Chrome Android Full support 61 | Firefox Android ? | Opera Android Full support 45 | Safari iOS ? | Samsung Internet Android No support No |
Legend
- Full support
- Full support
- No support
- No support
- Compatibility unknown
- Compatibility unknown
- See implementation notes.
- See implementation notes.