Expect-CT security header for whonix.org

Patrick · September 16, 2020, 9:40am

Currently using:

expect-ct: max-age=604800, report-uri=“Report URI: Website security, made easy.”

enforce Optional

Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.

When both the enforce directive and the report-uri directive are present, the configuration is referred to as an “enforce-and-report” configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.

Considering to add enforce.

expect-ct: max-age=604800, enforce, report-uri=“Report URI: Website security, made easy.”

Patrick · September 29, 2020, 10:49am

This was resolved.

Patrick · December 22, 2020, 12:56pm

Removed report-uri=“https://whonix.report-uri.com/r/d/ct/enforce”.

Hardenize: Comprehensive web site configuration test

Now showing:

report-uri x

And the x is orange, not a green arrow indicating a non-perfection.

Reporting to a third party such as report-uri.com can be a privacy issue as mentioned in "whonix.report-uri.com".

Options:

A) Expect-CT violation reporitng reporting to third party report-uri.com (old option)
B) Expect-CT without violation reporting (current option)
C) Expect-CT self-hosted reporting (Theoretical option. Open Source software might not exist. Reporting potential TLS issues to source of TLS issues might be conceptually flawed.)

Patrick · November 25, 2022, 2:14pm