Enable running for public (vs internal/intranet) hosts

Question

Enable running for public (vs internal/intranet) hosts

yschimke opened this issue 6 years ago · 4 comments

Rather than an explicit whitelist, run for public sites (based on Expect-CT header?) and collect expect-ct and store from previous runs

#drivebyfeaturesuggestion

Answer 1 · 2019-06-08T19:27:42.000Z

I'd aim to have support for both. The whitelist gets around the need for server changes to add in Expect-CT headers in the first place as well as the need for a pre-loaded list to get around issues of receiving the header on first use which is still open to attack.

Answer 2 · 2019-06-08T21:20:50.000Z

Mainly a note for myself, but what is the best way/place to cache this data on non-Android in the main library. Question also applies to Android, however, shared prefs or file locations are better defined.

Answer 3 · 2019-06-08T22:11:21.000Z

Cc @swankjesse this comes up frequently. In 4.1 should we expose a store for HSTS or expect-ct memory?

Answer 4 · 2021-02-24T09:52:24.000Z

Closing this issue as moving the work into a project https://github.com/appmattus/certificatetransparency/projects/1#card-55581643