Is the Expect-CT HTTP header still relevant in 2021?

Question

We recently had a penetration test performed on our site and one of the recommendations was to implement the Expect-CT HTTP response header:

It is recommended to implement the Expect-CT header. A sensible setting for testing would be the following, however the max-age should be increased from 30 seconds to in the range of months once this has been tested and signed-off for permanent deployment.

Example: Expect-CT: enforce,max-age=30

Severity: Low

However, the MDN article for this setting says:

The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.

Given that we are now in June 2021, is there any reason why I shouldn't just ignore this recommendation from the penetration testing report?

Answer 1

I was wondering the same thing. I think you need to ask yourself how to update are the browsers of your users. As stated bellow it looks to me Firefox, Chrome and Safari enforce it. But if you have a lot of users on older browsers then it still might be useful setting the header because it is widely supported.

From https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/docs/certificate-transparency.md:

Since 1 January 2015, Chrome has required that all Extended Validation certificates be disclosed via Certificate Transparency. Certificates that were not properly disclosed would be stripped of their EV status, but no warnings would be shown to visitors to sites that did not comply.

Since 1 June 2016, Chrome has required that all new certificates issued by the set of root certificates owned by Symantec Corporation are disclosed via Certificate Transparency. Certificates that were not disclosed, or which were not disclosed in a way consistent with RFC 6962, would be rejected as untrusted.

For all new certificates issued after 30 April 2018, Chrome will require that the certificate be disclosed via Certificate Transparency. If a certificate is issued after this date and neither the certificate nor the site supports CT, then these certificates will be rejected as untrusted, and the connection will be blocked. In the case of a main page load, the user will see a full page certificate warning page, with the error code net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. If you receive this error, this indicates that your CA has not taken steps to make sure your certificate supports CT, and you should contact your CA's sales or support team to ensure you can get a replacement certificate that works.

Here is another article https://www.thesslstore.com/blog/apple-certificate-transparency-october-15/ where Firefox and Safari also enforce it by now.

Here is Apple’s new Certificate Transparency policy Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:

At least two SCTs from currently-approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or At least one embedded SCT from a currently-approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.