Certificate Transparency in Chrome

You can inspect the SCTs provided by a website using the Google Chrome browser. Open Chrome's developer tools (under "More tools" in the Chrome menu) and switching to the security tab. Browse to the website, then click on its URL under "Main origin" (on the left, in the security tab). This will display security information about the website. Towards the bottom, there will be a section titled "Certificate Transparency", which will list the SCTs provided by the website. If this section is not displayed, then the website did not provide any SCTs and is not compliant with Certificate Transparency. Otherwise, you can compare the listed SCTs with Chrome's policy to check whether the provided SCTs are sufficient.
Chrome DevTools showing Certificate Transparency status

Detailed Signed Certificate Timestamp information

The exact Signed Certificate Timestamps Chrome sees and their validation status is available through Chrome's NetLog, accessible via chrome://net-internals.
The chrome NetLog should be opened before visiting a website. Then switch to the Events view from the drop-down and look for a "SOCKET" event type.
Past the certificate chain, the SCTs received, their origin and validation status will show:

Certificate inclusion checks

Chrome may check that an SCT has been honoured by the CT log that issued it, i.e. that the corresponding certificate is indeed published in that CT log. This is so that a CT log cannot issue an SCT but then never publish the certificate, thereby hiding its existence. Chrome does this by sending a specially-crafted DNS query that requests an inclusion proof from the log. Using DNS allows the user to remain anonymous from the CT log's perspective and enables caching of inclusion proofs. If the log cannot provide a proof, or the proof cannot be verified, then Chrome learns that the log has misbehaved.

It is possible to examine these inclusion checks using Chrome's NetLog (as seen above), but by searching for "TREE_STATE_TRACKER" events.
Comments