PrivaCT is a browser extension that leverages Prism to deliver trust-minimized Certificate Transparency (CT) directly to users.
When you visit a website, your browser establishes a secure connection using TLS certificates issued by trusted Certificate Authorities (CAs). These certificates verify the site’s authenticity. However, CAs have a history of being compromised or issuing certificates improperly, leading to risks like man-in-the-middle attacks, phishing sites appearing legitimate, or even government surveillance programs exploiting misissued certificates.
To address these issues, Certificate Transparency (CT) was introduced. CT requires that every certificate issued by a CA be publicly logged in an append-only, tamper-proof transparency log. But here’s the catch: as a user, how do you know if the certificate you’re seeing has actually been logged in one of these transparency logs? This is where PrivaCT steps in.
The goal of PrivaCT is to empower everyday users by automatically and transparently verifying whether a website’s certificate is properly logged in a Prism-based transparency system — all from within their browser. This brings the benefits of decentralized, trust-minimized certificate transparency directly to end users.
The system is built on three core components:
- Prism Devnet: A distributed, transparent store for certificates.
- CT Service: Continuously fetches certificates from transparency logs and submits them to Prism.
- Browser Extension: Verifies certificates directly against the Prism Devnet whenever a user visits a website.
Here’s how the extension works:
- When a user navigates to a website, the extension triggers a background check.
- It extracts the site’s TLS certificate using a Firefox API.
- The extension queries the Prism Full Node to retrieve a Merkle Proof for the certificate.
- It fetches the latest root hash from Prism to ensure it’s working with an up-to-date view of the transparency log.
- The extension verifies the proof using an inclusion proof directly within the browser.
- It validates both the Merkle proof from the CA and the proof from Prism.
- Finally, it updates the browser action icon:
- Green: The certificate is valid and logged.
- Red: The certificate fails the check or is missing.
PrivaCT bridges the gap between Certificate Transparency and user trust, ensuring a safer and more transparent browsing experience.
- Firefox ≥109 ✅ (extension manifest v3)
- Rust
- Nodejs
- Web-ext CLI (for Firefox)
In the project directory
npm installGo to the following repo and follow the instructions given: https://github.com/MmithridatesS/PrivaCT-service
Once the service is run it needs some time to set up the accounts of CT log providers. In the real world scenario the service would be running in the backend, thereby freeing the user of these steps.
Once the Prism full node is running, and the service has also been running for a while. The extension is ready to use, which can be done by using the following steps in the project directory:
npm run build cd dist web-ext run