Certificate Transparency in Firefox: A Big Step for Web Security
8 comments
·February 25, 2025linwangg
Great move! Curious to see how this will impact lesser-known CAs. Will this make it easier to detect misissued certs, or will enforcement still depend on browser policies?
arccy
firefox is just catching up with what chrome implemented years ago. unless you have a site visited only by firefox users, ecosystem effect is likely to be minimal... though it does protect firefox users in the time between detection and remediation.
joelthelion
Can someone explain in a nutshell what CT is, and how does it help security for the average user?
perching_aix
CT is an append-only distributed log for certificate issuances. People and client software can use it to check if a certificate has been revoked or is being provided by multiple CAs (the latter possibly indicating CA compromise). CA meaning Certificate Authority, the organizations that issue certificates.
This provides a further layer of technological defense to attempting the mitigation of your web browser traffic being intercepted and potentially tampered with.
In practice a regular person is unlikely to run into this, because web PKI is mostly working as expected, so there's no reason for the edge cases to happen en masse. This change is covering one such edge case.
No idea how the typical corporate interception solutions (e.g. Zscaler) circumvent it in other browsers where this check has long been implemented.
djaychela
There's a site for it here (linked 2 levels deep from the original article):
MidnightRider39
certificates themselves are snake oil so pouring more on top won’t improve them if they are flawed from the get-go
E.g. GUANG DONG CERTIFICATE AUTHORITY and many others
schoen
Congratulations! That's terrific news.
Wonder why they say you should monitor transparency logs instead of setting up CAA records - malicious actors will most likely disregard CAA anyway.