Skip to main content

7. Security Considerations

7.1. Hostile Header Attacks

When UAs support the Expect-CT header field, it becomes a potential vector for hostile header attacks against site owners. If a site owner uses a certificate issued by a certificate authority that does not embed SCTs nor serve SCTs via the Online Certificate Status Protocol (OCSP) or TLS extension, a malicious server operator or attacker could temporarily reconfigure the host to comply with the UA's CT Policy and add the Expect-CT header field in enforcing mode with a long max-age. Implementing user agents would note this as an Expect-CT Host (see Section 2.3.2.1). After having done this, the configuration could then be reverted to not comply with the CT Policy, prompting failures. Note that this scenario would require the attacker to have substantial control over the infrastructure in question, being able to obtain different certificates, change server software, or act as a man in the middle in connections.

Site operators can mitigate this situation by one of the following: reconfiguring their web server to transmit SCTs using the TLS extension defined in Section 6.5 of [RFC9162]; obtaining a certificate from an alternative certificate authority that provides SCTs by one of the other methods; or by waiting for the user agent's persisted notation of this as an Expect-CT Host to reach its max-age. User agents may choose to implement mechanisms for users to cure this situation, as noted in Section 4.

7.2. Maximum max-age

There is a security trade-off in that low maximum values provide a narrow window of protection for users that visit the Known Expect-CT Host only infrequently, while high maximum values might result in a denial of service to a UA in the event of a hostile header attack or simply an error on the part of the site owner.

There is probably no ideal maximum for the max-age directive. Since Expect-CT is primarily a policy-expansion and investigation technology rather than an end-user protection, a value on the order of 30 days (2,592,000 seconds) may be considered a balance between these competing security concerns.

7.3. Amplification Attacks

Another kind of hostile header attack uses the report-uri mechanism on many hosts not currently exposing SCTs as a method to cause a denial of service to the host receiving the reports. If some highly trafficked websites emitted a non-enforcing Expect-CT header field with a report-uri, implementing UAs' reports could flood the reporting host. It is noted in Section 2.1.1 that UAs should limit the rate at which they emit reports, but an attacker may alter the Expect-CT header fields to induce UAs to submit different reports to different URIs to still cause the same effect.

Last updated on