[perching_aix]

CT is an append-only distributed log for certificate issuances. People and client software can use it to check if a certificate is being provided by a trusted CA, if it has been revoked, or is being provided by multiple CAs (the latter possibly indicating CA compromise). CA meaning Certificate Authority, the organizations that issue certificates.

This provides a further layer of technological defense to attempting the mitigation of your web browser traffic being intercepted and potentially tampered with.

In practice a regular person is unlikely to run into this, because web PKI is mostly working as expected, so there's no reason for the edge cases to happen en masse. This change is covering one such edge case.

No idea how the typical corporate interception solutions (e.g. Zscaler) circumvent it in other browsers where this check has long been implemented.

[q2dg]

Will Mitmproxy stop working?

[notpushkin]

Chrome treats certificates added by user as not requiring CT: https://github.com/mitmproxy/mitmproxy/discussions/5720

[zinekeller]

And to wit, Firefox too:

> Setting this preference to 2 causes Firefox to enforce CT for certificates issued by roots in Mozilla's Root CA Program.

[perching_aix]

I believe so. You'll need to disable CT enforcement / or add your SPKI hash to the ignore list in the browser settings temporarily to get it working. [0] I guess this is also how corporations get around this issue? Still unsure.

[0] https://wiki.mozilla.org/SecurityEngineering/Certificate_Tra...

[mcpherrinm]

No. CT is only required for public CAs. You only need those browser policy settings if you’re using a public CA without CT.

[perching_aix]

I'd imagine this is why certs that terminate in root certificates manually added to the trust store will work fine then [as stated by other comments]?

[mcpherrinm]

Right, any CA you add yourself that isn’t part of what Mozilla ships isn’t considered a publicly trusted CA.