Expect-CT

Você está lendo a versão em inglês deste conteúdo porque ainda não há uma tradução para este idioma. Ajude-nos a traduzir este artigo!

The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed.

CT requirements can be satisfied by servers via any one of the following mechanisms:

  • X.509v3 certificate extension to allow embedding of signed certificate timestamps issued by individual logs
  • A TLS extension of type signed_certificate_timestamp sent during the handshake
  • Supporting OCSP stapling (that is, the status_request TLS extension) and providing a SignedCertificateTimestampList

When a site enables the Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.

Browsers ignore the Expect-CT header when sent over HTTP, the header only has effect on HTTPS connections.

Header type Response header
Forbidden header name yes

Syntax

Expect-CT: report-uri="<uri>",
           enforce,
           max-age=<age>

 Directives

max-age

Specifies the number of seconds after reception of the Expect-CT header field during which the user agent should regard the host from whom the message was received as a known Expect-CT host.

If a cache receives a value greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider the value to be either 2147483648 (2^31) or the greatest positive integer it can conveniently represent.

report-uri="<uri>" Optional

Specifies the URI to which the user agent should report Expect-CT failures.

When both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
enforce Optional

Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.

When both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.

Example

The following example specifies enforcement of Certificate Transparency for 24 hours and reports violations to foo.example.

Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

Notes

Root CAs manually added to the trust store override and suppress Expect-CT reports/enforcement.

Browsers will not remember an Expect-CT policy, unless the site has 'proven' it can serve a certificate satisfying the certificate transparency requirements. Browsers implement their own trust model regarding which CT logs are considered trusted for the certificate to have been logged to.

Builds of Chrome are designed to stop enforcing the Expect-CT policy 10 weeks after the installation's build date.

Specifications

Specification Title
Internet Draft Expect-CT Extension for HTTP

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Expect-CTChrome Full support 61
Notes
Full support 61
Notes
Notes Before later builds of Chrome 64, invalid Expect-CT reports would be sent. Newer versions do not send reports after 10 weeks from the build date. See bug 786563.
Edge ? Firefox ? IE ? Opera Full support 48Safari ? WebView Android No support NoChrome Android Full support 61Firefox Android ? Opera Android Full support 45Safari iOS ? Samsung Internet Android No support No

Legend

Full support  
Full support
No support  
No support
Compatibility unknown  
Compatibility unknown
See implementation notes.
See implementation notes.