[Security] Add support for Certificate Transparency in Brave #22482

fmarier · 2022-04-21T21:22:29Z

We currently don't enforce certificate transparency in Brave, unlike Chrome and Safari.

This is what the interstitial looks like like Chrome:

It involves the PKI metadata component, which we enable in Brave, the ERR_CERTIFICATE_TRANSPARENCY_REQUIRED_ERROR error code as well as these feature flags:

Turning on these flags in brave://flags doesn't help:

The text was updated successfully, but these errors were encountered:

fmarier · 2022-04-26T00:59:11Z

From https://source.chromium.org/chromium/chromium/src/+/main:net/docs/certificate-transparency.md?q=CERTIFICATE_TRANSPARENCY_REQUIRED&ss=chromium%2Fchromium%2Fsrc&start=31:

However, as Google Chrome looks to roll out a more rigorous enforcement of Certificate Transparency, by enforcing that newly-issued certificates are disclosed as a condition of being trusted, the risks to the CA and CT ecosystem significantly increase if embedders implement CT without the ability for reliable, rapid updates, keeping track with ongoing development in the main tree and reliably delivering security updates on the same cadence as Chromium branches and Google Chrome releases.

For this reason, the CT implementation is undergoing a refactoring to reduce those risks through code and implementation. As a result, Chromium embedders will NOT have CT enforcement enabled by default, and are NOT encouraged to manually enable it at this time.

fmarier · 2022-05-14T00:11:32Z

The reason CT enforcement is disabled in Brave is that the RequireCTDelegate doesn't change the default CT policy. This delegate is set based on params_->enforce_chrome_ct_policy which is set based on IsCertificateTransparencyEnabled().

Removing the GOOGLE_CHROME_BRANDING and OFFICIAL_BUILD checks:

diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/sys>
index 0269a74140c80..7b72a383bc279 100644
--- a/chrome/browser/net/system_network_context_manager.cc
+++ b/chrome/browser/net/system_network_context_manager.cc
@@ -896,7 +896,8 @@ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
   return true;
 #endif
 #else
-  return false;
+  //return false;
+  return true;
 #endif
 }

I was able to make the test page work.

fmarier · 2022-06-02T17:32:44Z

Before we enable this, we need to ensure that SCT auditing is turned off and not sending any data.

See https://source.chromium.org/chromium/chromium/src/+/main:chrome/common/chrome_features.cc;l=864-872;drc=a8473792f0f00c3574886d861118219f54fd3620 for the feature flag.

This makes Brave follow the same Certificate Transparency policy as Chrome for TLS certificates. It also excludes Brave hostnames which are involved with browser updates in order to ensure that updates always work even if the certificate transparency code breaks in the future.

stephendonner · 2023-05-27T06:00:28Z

Verification `PASSED` using

Brave	1.53.67 Chromium: 114.0.5735.53 (Official Build) beta (x86_64)
Revision	c499d7ea22c8b2dba278465a5df7b86a8efa4e64-refs/branch-heads/5735@{#970}
OS	macOS Version 11.7.7 (Build 20G1345)

Steps:

installed 1.53.67
launched Brave
opened https://no-sct.badssl.com in Brave
confirmed the TLS error page with code NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
opened https://sct-exempted.bravesoftware.com in Chrome
confirmed the TLS error page NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
opened https://sct-exempted.bravesoftware.com in Brave
confirmed that the page loaded fine
opened the same page in Chrome
confirmed I got the above ERR_CERTIFICATE... page

`no-sct.badssl.com` Brave	`no-sct.badssl.com` Chrome	`sct-exempted.bravesoftware.com/` Brave	`sct-exempted.bravesoftware.com` Chrome

MadhaviSeelam · 2023-06-02T00:56:43Z

Verification PASSED using

Brave | 1.53.76 Chromium: 114.0.5735.90 (Official Build) beta (64-bit)
-- | --
Revision | 386bc09e8f4f2e025eddae123f36f6263096ae49-refs/branch-heads/5735@{#1052}
OS | Windows 11 Version 22H2 (Build 22621.1702)

Steps:

installed 1.53.76
launched Brave
opened https://no-sct.badssl.com in Brave
confirmed the TLS error page with code NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
opened https://sct-exempted.bravesoftware.com in Chrome
confirmed the TLS error page NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
opened https://sct-exempted.bravesoftware.com in Brave
confirmed that the page loaded fine

Brave (step 4)	Chrome (step 6)	Brave(step 8)

stephendonner · 2023-06-09T22:32:20Z

Verification `PASSED` using

Brave 1.53.87 Chromium: 114.0.5735.110 (Official Build) beta (64-bit) 
Revision 1c828682b85bbc70230a48f5e345489ec447373e-refs/branch-heads/5735_90@{#13}
OS Linux

Steps:

installed 1.53.87
launched Brave
opened https://no-sct.badssl.com in Brave
confirmed the TLS error page with code NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
opened https://sct-exempted.bravesoftware.com in Chrome
confirmed the TLS error page NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
opened https://sct-exempted.bravesoftware.com in Brave
confirmed that the page loaded fine
opened the same page in Chrome
confirmed I got the above ERR_CERTIFICATE... page

`no-sct.badssl.com` Brave	`no-sct.badssl.com` Chrome	`sct-exempted.bravesoftware.com/` Brave	`sct-exempted.bravesoftware.com` Chrome

fmarier added OS/Android Fixes related to Android browser functionality OS/Desktop labels Apr 21, 2022

diracdeltas added the security label Apr 27, 2022

fmarier self-assigned this Apr 30, 2022

fmarier added the priority/P3 The next thing for us to work on. It'll ride the trains. label Aug 4, 2022

fmarier mentioned this issue Apr 6, 2023

Enable SCT enforcement brave/brave-core#17944

Merged

19 tasks

fmarier added QA/Yes release-notes/include and removed OS/Android Fixes related to Android browser functionality labels Apr 7, 2023

fmarier changed the title ~~Investigate adding support for Certificate Transparency in Brave~~ Add support for Certificate Transparency in Brave Apr 7, 2023

fmarier closed this as completed in brave/brave-core#17944 May 19, 2023

brave-builds added this to the 1.53.x - Nightly milestone May 19, 2023

stephendonner added QA Pass-macOS QA/Test-Plan-Specified labels May 27, 2023

kjozwiak added the QA/Test-All-Platforms label Jun 1, 2023

MadhaviSeelam added the QA Pass-Win64 label Jun 2, 2023

stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jun 9, 2023

LaurenWags changed the title ~~Add support for Certificate Transparency in Brave~~ [Security] Add support for Certificate Transparency in Brave Jun 12, 2023

LaurenWags mentioned this issue Jul 17, 2023

Desktop Release Notes for 1.56.x Release #2 #31677

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Add support for Certificate Transparency in Brave #22482

[Security] Add support for Certificate Transparency in Brave #22482

fmarier commented Apr 21, 2022

fmarier commented Apr 26, 2022

fmarier commented May 14, 2022

fmarier commented Jun 2, 2022 •

edited

Loading

stephendonner commented May 27, 2023

MadhaviSeelam commented Jun 2, 2023

stephendonner commented Jun 9, 2023 •

edited

Loading

[Security] Add support for Certificate Transparency in Brave #22482

[Security] Add support for Certificate Transparency in Brave #22482

Comments

fmarier commented Apr 21, 2022

fmarier commented Apr 26, 2022

fmarier commented May 14, 2022

fmarier commented Jun 2, 2022 • edited Loading

stephendonner commented May 27, 2023

Verification PASSED using

Steps:

MadhaviSeelam commented Jun 2, 2023

Steps:

stephendonner commented Jun 9, 2023 • edited Loading

Verification PASSED using

Steps:

fmarier commented Jun 2, 2022 •

edited

Loading

Verification `PASSED` using

stephendonner commented Jun 9, 2023 •

edited

Loading

Verification `PASSED` using