How To Protect Your Employees From Romance Scams
When reading “romance scam” it’s common that the first thing that comes to mind is falling for the classic …
In an older article, we covered the reasons behind the deprecation of the HPKP header in favor of the Expect-CT header. As of June 2021, this header has become obsolete as well. This article explains why.
Certificate Transparency (CT) is an Internet security standard and open source framework used for monitoring and auditing digital certificates.
It was designed to fix several structural flaws in the SSL/TLS certificate ecosystem. Introduced in RFC 6962, it allows logging certificates that are issued by certificate authorities (CAs).
This enables the worldwide public to have visibility over certificates that have been issued by a given CA which prevents the use of misissued certificates for a domain from going unnoticed.
The Expect-CT
header does exactly that by instructing the browser to check whether
the site is following the Certificate Transparency guidelines, and verify that it’s doing what it says.
However, the Expect-CT has served its purpose and is now obsolete.
Starting with June 2021 this header is no longer needed. According to Mozilla:
The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.
When a site includes the Expect-CT header in HTTP responses, it asks the browser to check that any certificate for that site appears in public CT logs.
For all certificates issued after 30 April 2018, Chrome requires that the certificate be disclosed via Certificate Transparency, by introducing a TLS extension of type Signed Certificate Timestamp (SCT) sent during the handshake.
If a certificate was issued after this date and neither the certificate nor the website supports CT,
then this certificate would be rejected, and the connection would be blocked.
The user would see the typical Chrome red warning page,
with the error code net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
.
Google didn’t want to break existing websites. Because rendering previously generated certificates obsolete was not an option, it decided to allow them by leveraging this header until they would expire (for the post-April 2018 this was no longer needed because they already had the SCT).
Since certificates issued until that date were allowed to have a lifetime of 39 months, this would mean that those last-of-their-kind certificates would expire in June 2021. This explains why this header is obsolete starting with this month.
If your certificate supports SCT (Signed Certificate Timestamp) by default, the Expect-CT header is not required.
If you still use this header on your site, there is no need to worry as it won’t cause any damage but won’t bring much value either, since most mainstream browsers (Chrome, Firefox, Safari, Edge) are already in CT-compliance.
When reading “romance scam” it’s common that the first thing that comes to mind is falling for the classic …
October is recognized every year as the Cybersecurity Awareness Month. This campaign encourages individuals and …
If you’re interested in a complete Security Program without the high costs, a cyber security consultant is the best way to start.
Get started Now