-
Notifications
You must be signed in to change notification settings - Fork 2.3k
TLS Policy
Here are some details about how Transport Layer Security or TLS (formerly SSL) works in Brave.
On all platforms except iOS, we currently use the upstream Chromium implementation unmodified.
On iOS, TLS connections are handled by the Operating System.
On each platform that we support, except for iOS, we use the same default root store as Chrome. See https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md.
On iOS, we rely on the Apple root store.
While we do enable root pinning enforcement and HSTS preloading, we do not currently use the list that ships with Chrome. Instead, we have our own lists: https://github.com/brave/brave-core/blob/master/chromium_src/net/tools/transport_security_state_generator/input_file_parsers.cc
You can confirm that it is working in your browser using these test domains:
- https://ssl-pinning.someblog.org/ should be blocked with a TLS error
- https://pinning-test.badssl.com/ should load normally and display a red page instead of a TLS error
On iOS, we rely on Apple's CT policy and the CT support in Webkit.
On desktop & Android, we follow Chrome's CT policy and started enforcement in 1.56 (https://github.com/brave/brave-core/pull/17944). SCT auditing is disabled.