Signed Certificate Timestamps support is broken

[fdezsergio02]

Please answer the following questions for yourself before submitting an issue

• [x] Filters were updated before reproducing an issue
• [x] I checked the knowledge base and found no answer
• [x] I checked to make sure that this issue has not already been filed

AdGuard version

7.20.3

Browser version

Chrome 137

OS version

Windows 11 24H2

Issue Details

Steps to reproduce:

1. Go to https://no-sct.badssl.com/ to check that the Signed Certificate Timestamps are working correctly
2. View site information (button next to the URL in Chrome)

Expected Behavior

The browser should issue the error: net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED and mark the connection as an unsecured connection.

Actual Behavior

The browser loads the web page and marks it as a secure connection, when it is not.

Screenshots

Screenshot 1

Additional Information

The feature was implemented in 2023, but it doesn't seem to be working properly. did adguard remove it, or is it a bug?

[sfionov]

Hello! We use the same policy as Chrome - SCT checks are working only for 1.5 months for every build, then you should upgrade.

Since AG release cycle is not exactly every 1.5 months, there may be periods when SCT checks do not work.

We can't simply increase CT log list lifetime because this expiration time is actually CT log commissioning delay. New CT logs may be commissioned after 1.5 months, and then newly created certs may be considered invalid.

So to improve this, the solution could be for AdGuard to be able to fetch new CT log lists.

[ameshkov]

Alternatively, we should just make sure that the release cycle is no more than 1.5 months.

Generally, it is possible to guarantee that we'll be publishing at least a minor update every 6 weeks.