We recently had a penetration test performed on our site and one of the recommendations was to implement the Expect-CT HTTP response header:
It is recommended to implement the Expect-CT header. A sensible setting for
testing would be the following, however the max-age should
be increased from 30 seconds to in the range of months once this has been
tested and signed-off for permanent deployment.
Example: Expect-CT: enforce,max-age=30
Severity: Low
However, the MDN article for this setting says:
The Expect-CT will likely become obsolete in June 2021. Since May
2018 new certificates are expected to support SCTs by default.
Certificates before March 2018 were allowed to have a lifetime of
39 months, those will all be expired in June 2021.
Given that we are now in June 2021, is there any reason why I shouldn't just ignore this recommendation from the penetration testing report?
I was wondering the same thing. I think you need to ask yourself how to update are the browsers of your users.
As stated bellow it looks to me Firefox, Chrome and Safari enforce it. But if you have a lot of users on older browsers then it still might be useful setting the header because it is widely supported.
From https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/docs/certificate-transparency.md:
Since 1 January 2015, Chrome has required that all Extended Validation
certificates be disclosed via Certificate Transparency. Certificates
that were not properly disclosed would be stripped of their EV status,
but no warnings would be shown to visitors to sites that did not
comply.
Since 1 June 2016, Chrome has required that all new certificates
issued by the set of root certificates owned by Symantec Corporation
are disclosed via Certificate Transparency. Certificates that were not
disclosed, or which were not disclosed in a way consistent with RFC
6962, would be rejected as untrusted.
For all new certificates issued after 30 April 2018, Chrome will
require that the certificate be disclosed via Certificate
Transparency. If a certificate is issued after this date and neither
the certificate nor the site supports CT, then these certificates will
be rejected as untrusted, and the connection will be blocked. In the
case of a main page load, the user will see a full page certificate
warning page, with the error code
net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. If you receive this error,
this indicates that your CA has not taken steps to make sure your
certificate supports CT, and you should contact your CA's sales or
support team to ensure you can get a replacement certificate that
works.
Here is another article https://www.thesslstore.com/blog/apple-certificate-transparency-october-15/ where Firefox and Safari also enforce it by now.
Here is Apple’s new Certificate Transparency policy Our policy
requires at least two Signed Certificate Timestamps (SCT) issued from
a CT log—once approved* or currently approved at the time of check—and
either:
At least two SCTs from currently-approved CT logs with one SCT
presented via TLS extension or OCSP Stapling; or At least one embedded
SCT from a currently-approved log and at least the number of SCTs from
once or currently approved logs, based on validity period as detailed
in the table below.
Related
So I have had an app in google play for almost 6 months now, the last two month I updated my apps screenshots and from there I begun to get an app rejection each time I update My app.
The last time I fired an appeal and it got accepted so I thought that after the appeal got accepted I won't have any issue when I update my app in the future.
But now I got a new update and it got rejected again with Not adhering to Unauthorized use of copyrighted content policy
Those are the screenshots that I created my self.
Now what is the problem, Why do the google auto validation bots not accept those images?
Since the appeal got accepted it means that there should not be any problem.
Is there any way I could validate those images online for google play? and see what's wrong?
Or do you see any problem here that I can't see?
Here is the link to my google app if someone would like to check it out and see if I violate any policy with the description or otherwise.
https://play.google.com/store/apps/details?id=com.novelmanager&gl=SE
Here is the rejection mail I got.
Hi Developers at Alen Toma,
After a recent review, we found that your app NovelManager (com.novelmanager) is not compliant with one or more of our Developer Program Policies. See below for more information about your app’s status and how to correct the issue.
Issue with your app
Your app contains content that doesn't comply with the Unauthorized Use of Copyrighted Content policy.
About Unauthorized Use of Copyrighted Content policy
We don’t allow apps that infringe copyright. Modifying copyrighted content may still lead to a violation. Developers may be required to provide evidence of their rights to use copyrighted content.
App status: Rejected
Your app has been rejected and wasn't published due to this policy issue. If you submitted an update, the previous version of your app is still available on Google Play.
Action required: Submit an updated app for review
Here’s what to do to help get your app on Google Play:
Please review the Developer Distribution Agreement and Unauthorized Use of Copyrighted Content policy.
Make appropriate changes to your app, and be sure to address the issue described above. Also check your app’s store listing for compliance, if applicable.
Double check that your app is compliant with all other Developer Program Policies.
Sign in to your Play Console and submit the update to your app.
Not adhering to Unauthorized use of copyrighted content policy
The copyrighted content includes the novels.
one of the cover images has copyrighted content that could be anything character or logo for example I can write a story that includes superman the story it self not copyrighted but the cover has superman image witch is copyrighted
you can try to blur the images something like this
I want to build a system where a document is to be signed by the user. It may be the case that user takes 10 days to sign the document or even in minutes things are done.
Using Remote signing : User will receive the mail from third party app, and the validity of that signing link is long like 10-15 days.
Using Embedded signing : User will have to sign the document within minutes. No mail is received from 3rd party app.
I want to have a hybrid kind of system, where our system should send the mail containing the signing link to user and that link should be valid for 10-15 days.
There are workarounds for my use requirements. But I want a robust and proper solution for this.
All of the above is easily achievable with the HelloSign API. In both cases the signing link is generated right when the user launches the document to sign so there's no risk for it to expire.
Non-embedded signing: with one API call, HelloSign will send an email to the user with the link to launch the document, an email reminder if the user takes long to sign, and an email with the link to download the final document once signed. The link the user gets can only expire if the document is manually marked as cancelled (or declined by the user).
Embedded signing: in 3 API calls you are able to create the document, generate the link for the document once the signer is ready to sign in your workflow, and download the completed document for you and the user. The API uses webhooks to inform you of events during the document lifecycle, and you have the ability to handle all notifications to the user as well as the timing for each API call.
Hope this helps! Let know if you'd like me to expand on the above.
You want your app to send the email and control the validity time for the link. You also, it appears, want to use embedded signing. All of the above is straight forward with DocuSign. See my prior answer on how to create long lived embedded signing links.
[I work for DocuSign]
Re: embed UI in our app?
You can update your app to iFrame DocuSign's Signing Ceremony, redirect to it, or open a new browser tab for the signing ceremony.
iFraming is not recommended since it does not enable signers to assure themselves that they're using DocuSign. If you do use an iFrame, the DocuSign Signing Ceremony must receive 100% of the width and height to provide the best signing experience (especially on mobiles).
You can brand the DocuSign signing ceremony to include your app's logo and match your app's colors, fonts, etc.
I'm working on W10 box.
One day all Chromium based web browsers (Chrom, Opera) stopped working with any Google based services showing "Cert is revoked" message on SSL access.
Given Cert is:
https://censys.io/certificates?q=37839b99a1c97d649b3d931ff055eba5f1493434
What is very strange Edge browser is working well.
What's more all browers show the same Certificate (checked details) for a given web page but only Edge is working with it.
What's the problem ?
So it's finally solved.
Somehow, have no idea why, my CERT store had 2 copies of the main signing cert called "Google Trust Services -GlobalSign Root CA-R2".
The one used for signing Google services.
Once I delete the "bad" one all browsers work well!
How can I verify the signature of a message following the CMS structure (https://www.rfc-editor.org/rfc/rfc5652) by using the Firefox Add-On SDK?
I already could find some classes (e.g. http://doxygen.db48x.net/mozilla/html/interfacensICMSMessage.html), but I'm unsure if I can use them in an Add-On as there is not very much documentation.
If this is not possible, is there at least a way to check if the given certificate of the message is trusted by the list of CAs built into Firefox? (I'll try to use the webcrypto API to verify the signature in this case)
I need a cheap certificate to sign my application so I can get rid of SmartScreen warning : https://playgunscape.com/downloadgunscape/Windows8_SS_1.png .
Also I'm having problem with false positive from various antivirus programs each time I release an update. As far as I've heard, signing the exe might fix this problem too .
I found an offer from comodo, 2 years for 150 $ . But it's still a lot of money .
https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html
Does anyone know a better offer ?
Unfortunately "Cheap" is relative to results. The amount of time it is probably taking you and frustration is probably worth paying for and "EV" Class 3 certificate (Extended valuation)
Class 3 certificates are a step above the Class 2. Class 2 does not require “Extended Validation”. However the “EV” code signing certificates combine all of the regular benefits of digitally-signed code with a rigorous extended validation process. They represent the gold standard for authentication and security in code signing certificates. EV code signing certificates adhere to strict validation standards from the CA/Browser Forum and to Microsoft specifications. Enhanced authentication is provided via an encrypted token containing the private key. But the down side is they cost about $350 per year... Good news... It will fix the problem.