Because I don't have uri here, the report will not be sent, so there
is no additional security at all.
You are right.
In case enforced is not specified, as in your case, and browser detects a CT violation, e.g. because a mis-issued certificate is used or because of misconfiguration of your web site, it makes sense to report it to the web site owner. Then, if the problem was caused by misconfiguration, the owner has a chance to fix it. In your case the URI is empty, it means the problems will not be reported to you. In your case, the enforce flag is not specified. This means, in case of problems browser will still establish connection. Thus, as you said, such usage of Expect-CT has no additional security.
In case enforced is specified, the browser will refuse connections to the host. In such cases, even if URI is empty or means a non-existing endpoint, there is still a value: Browser will warn the user and will refuse connections that are insecure.
additionally developers set this to:
Expect-CT: max-age=0, report-uri=
Because of the reasons above, this makes no sense.
So because certificates are expected to support SCTs by default I do
not think that this header makes any sense.
From the user perspective, both SCT and Expect-CT (with enforce flag) will prevent insecure connections. But if Expect-CT uses a URI to report problems, it can be easier for the owner to be informed about the problems. Otherwise it make take a long time until you get informed that some users experience problems when connecting to your web site, and may be even stopped visiting it.
But what is the probability that you mis-configure certificate? See details below.
On the other hand I see that some popular websites like Linkedin still
use this header ...
I suppose Linkedin wants to be informed about the cases when browser believed that CT was violated, e.g. a mis-issued certificates were used or web site was mis-configured.
To use or not to use?
I have no statistics about what percentage of users face any CT problems and how many of them are caused by CA, how many otherwise valid certificates are not registered in the log, or if there are any CAs that issue especially many certificates without proper registration in the log. That's why I cannot decide for you if you should use Expect-CT.
I would suggest that you try first to rely on SCT only. Depending on how CA delivers SCT, some configuration of web server may be needed. Then use some online service to do a detailed test of certificate configuration of your web site. There are many such services. It is up to you which one to prefer. After you fixed any issues that such service has found, you can assume that for the most users it will work well and thus Expect-CT will not have any considerable additional value.
