[lxgr]

Does the browser actually communicate with any external service for enforcing CT?

I was under the impression it just checked the certificate for an inclusion proof, and actual monitoring of consistency between these proofs and logs is done by non-browser entities.

[tialaramex]

I assume Firefox doesn't implement this but one idea at the core of a full CT system is "gossip". Suppose your browser visits a site which has Dodgy Cert which has a bogus SCT, there should be some chance that the browser tells other people who care, maybe it anonymously sends some info to a gossip integrator. Browsers don't check that every SCT they see makes consistent sense, if your browser is shown two SCTs which could not exist in the same universe it won't realise - but the hypothetical gossip integrator can see if any browsers sampled any SCTs which are not mutually coherent and raise alarms.

This would detect e.g. US government forces Google's log to cover up a CIA-obtained certificate for north-korean-military.example so it works fine for visitors, but the Korean's can't see it in the public logs. There's no sign that anything like this has ever happened, but in theory it would be easier to pull off since gossip is not implemented.

[tgsovlerkhgsel]

No, I assume but Mozilla was first collecting telemetry to see if enabling CT would cause user-visible errors or not.

[lxgr]

Ah, good point – presumably 2 also sends telemetry to Mozilla?

[tgsovlerkhgsel]

I would expect (without having checked) that both 1 and 2 send telemetry to Mozilla if and only if the global telemetry switch is on (which I think it is by default).