Mozilla is planning to add support for Certificate Transparency checks in Firefox in the near future, but the company says that the feature won’t be turned on by default at first.
Certificate Transparency is a proposal from engineers at Google that would help resolve some of the issues with certificate authorities, fraudulent certificates and stolen certificates. The framework would provide a public log of every certificate that’s issued by compliant CAs and also would provide proof to users’ browsers when each certificate is presented. Google is planning to implement CT in Chrome, and now Mozilla officials say that the company will implement in Firefox, but the process will be a gradual one.
“With help from the Google CT team, we are currently planning to add code to Firefox and/or NSS that will check for CT information in a TLS handshake. We will create preferences that allow the user to apply these checks to TLS handshakes (either all or a subset), but these preferences will be off by default,” Mozilla said in a statement on its wiki.
“To emphasize: The current CT implementation will have no impact on users who do not explicitly enable it. Before any action is taken to apply CT by default, there will need to be extensive discussion of where it should be applied, and how the results of CT should impact the Firefox user experience.”
CT is still evolving and it’s in the IETF system as an experimental protocol. Some CAs already have committed to CT, including GlobalSign and DigiCert. The framework relies on CAs and browser vendors supporting the protocol, so it will take some time for the full effect of CT to be felt if it’s implemented broadly.