Hacker News new | ask | show | jobs
by jeroenhd 480 days ago
135.0.1 on Ubuntu is warning me. Maybe Mozilla is doing a delayed rollout?

For context, in about:config my security.pki.certificate_transparency.mode is set to 2. According to https://wiki.mozilla.org/SecurityEngineering/Certificate_Tra... if it's on 0 (disabled) or 1 (not enforcing, collecting telemetry only), you can enable it.

I can imagine Mozilla setting that setting to 1 by default (collecting telemetry on sites you visit) and Debian overridding it for privacy purposes.
1 comments
lxgr 480 days ago
Does the browser actually communicate with any external service for enforcing CT?

I was under the impression it just checked the certificate for an inclusion proof, and actual monitoring of consistency between these proofs and logs is done by non-browser entities.

link
tialaramex 479 days ago
I assume Firefox doesn't implement this but one idea at the core of a full CT system is "gossip". Suppose your browser visits a site which has Dodgy Cert which has a bogus SCT, there should be some chance that the browser tells other people who care, maybe it anonymously sends some info to a gossip integrator. Browsers don't check that every SCT they see makes consistent sense, if your browser is shown two SCTs which could not exist in the same universe it won't realise - but the hypothetical gossip integrator can see if any browsers sampled any SCTs which are not mutually coherent and raise alarms.

This would detect e.g. US government forces Google's log to cover up a CIA-obtained certificate for north-korean-military.example so it works fine for visitors, but the Korean's can't see it in the public logs. There's no sign that anything like this has ever happened, but in theory it would be easier to pull off since gossip is not implemented.

link
tgsovlerkhgsel 480 days ago
No, I assume but Mozilla was first collecting telemetry to see if enabling CT would cause user-visible errors or not.
link
lxgr 480 days ago
Ah, good point – presumably 2 also sends telemetry to Mozilla?
link
tgsovlerkhgsel 480 days ago
I would expect (without having checked) that both 1 and 2 send telemetry to Mozilla if and only if the global telemetry switch is on (which I think it is by default).
link