Open Bug 2001542 Opened 2 days ago Updated 2 days ago

CT not enforced if no SCTs is sent

Categories

(Firefox for Android :: Browser Engine, defect)

Product:
Firefox for Android
Component:
Browser Engine
Version:
Firefox 145
Platform:
All
Android
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: hello, Unassigned)

Details

Steps to reproduce:

  1. Go to https://no-sct.badssl.com/

Actual results:

The website loads successfully.

Expected results:

Loading should fail with "Error code: MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY".
This is what Firefox Desktop 145 does.

The changelog for Firefox for Android 145 claims that CT is being enforced. As this test site shows, CT is not correctly enforced.
https://www.firefox.com/en-US/firefox/android/145.0/releasenotes/

The Bugbug bot thinks this bug should belong to the 'Firefox for Android::Browser Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → Browser Engine
You need to log in before you can comment on or make changes to this bug.