New SSL metric added: Likely From Same Domain

This metric records the CERT_COMMON_NAME_INVALID errors when the hostname entered and one of the dns names of the certificate have same effective domain name (eTLD+1).This helps us see if the certificate is completely random or if it is related to the current hostname. BUG=507715 Review URL: https://codereview.chromium.org/1227173006 Cr-Commit-Position: refs/heads/master@{#339699}
author: bhanudev <bhanudev@google.com> 2015-07-21 11:16:07 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-07-21 18:17:53 +0000
commit: a250ccfb581fb9353c0efe18789df49a91ddb0a5 (patch)
tree: 496ff5a4b6d88075004130bf3881e4db703dd65a
parent: 73e2f9151f96ca91faa1faf1eb986b5a4fd29ebc (diff)
download: chromium_src-a250ccfb581fb9353c0efe18789df49a91ddb0a5.zip
chromium_src-a250ccfb581fb9353c0efe18789df49a91ddb0a5.tar.gz
chromium_src-a250ccfb581fb9353c0efe18789df49a91ddb0a5.tar.bz2
4 files changed, 44 insertions, 0 deletions
diff --git a/chrome/browser/ssl/ssl_error_classification.cc b/chrome/browser/ssl/ssl_error_classification.cc
index eea8925..c7ac505b 100644
--- a/chrome/browser/ssl/ssl_error_classification.cc
+++ b/chrome/browser/ssl/ssl_error_classification.cc
@@ -55,6 +55,7 @@ enum SSLInterstitialCause {
   AUTHORITY_ERROR_CAPTIVE_PORTAL,
   SELF_SIGNED,
   EXPIRED_RECENTLY,
+  LIKELY_SAME_DOMAIN,
   UNUSED_INTERSTITIAL_CAUSE_ENTRY,
 };
 
@@ -208,6 +209,8 @@ void SSLErrorClassification::RecordUMAStatistics(
           RecordSSLInterstitialCause(overridable, SUBDOMAIN_INVERSE_MATCH);
         if (IsCertLikelyFromMultiTenantHosting())
           RecordSSLInterstitialCause(overridable, LIKELY_MULTI_TENANT_HOSTING);
+        if (IsCertLikelyFromSameDomain())
+          RecordSSLInterstitialCause(overridable, LIKELY_SAME_DOMAIN);
       } else {
          RecordSSLInterstitialCause(overridable, HOST_NAME_NOT_KNOWN_TLD);
       }
@@ -463,6 +466,29 @@ bool SSLErrorClassification::IsCertLikelyFromMultiTenantHosting() const {
   return true;
 }
 
+bool SSLErrorClassification::IsCertLikelyFromSameDomain() const {
+  std::string host_name = request_url_.host();
+  std::vector<std::string> dns_names;
+  cert_.GetDNSNames(&dns_names);
+
+  dns_names.push_back(host_name);
+  std::vector<std::string> dns_names_domain;
+
+  for (const std::string& dns_name : dns_names) {
+    dns_names_domain.push_back(
+        net::registry_controlled_domains::GetDomainAndRegistry(
+            dns_name,
+            net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES));
+  }
+
+  DCHECK(!dns_names_domain.empty());
+  const std::string& host_name_domain = dns_names_domain.back();
+
+  // Last element is the original domain. So, excluding it.
+  return std::find(dns_names_domain.begin(), dns_names_domain.end() - 1,
+                   host_name_domain) != dns_names_domain.end() - 1;
+}
+
 // static
 bool SSLErrorClassification::IsHostnameNonUniqueOrDotless(
     const std::string& hostname) {
diff --git a/chrome/browser/ssl/ssl_error_classification.h b/chrome/browser/ssl/ssl_error_classification.h
index 2eda135..89869b9 100644
--- a/chrome/browser/ssl/ssl_error_classification.h
+++ b/chrome/browser/ssl/ssl_error_classification.h
@@ -117,6 +117,11 @@ class SSLErrorClassification : public content::NotificationObserver {
   // fields.
   bool IsCertLikelyFromMultiTenantHosting() const;
 
+  // Returns true if the hostname in |request_url_| has the same domain
+  // (effective TLD + 1 label) as at least one of the subject
+  // alternative names in |cert_|.
+  bool IsCertLikelyFromSameDomain() const;
+
   static std::vector<Tokens> GetTokenizedDNSNames(
       const std::vector<std::string>& dns_names);
 
diff --git a/chrome/browser/ssl/ssl_error_classification_unittest.cc b/chrome/browser/ssl/ssl_error_classification_unittest.cc
index 593afde..c052a4f 100644
--- a/chrome/browser/ssl/ssl_error_classification_unittest.cc
+++ b/chrome/browser/ssl/ssl_error_classification_unittest.cc
@@ -59,6 +59,7 @@ TEST_F(SSLErrorClassificationTest, TestNameMismatch) {
                                              host_name_tokens));
     EXPECT_FALSE(ssl_error.IsSubDomainOutsideWildcard(host_name_tokens));
     EXPECT_FALSE(ssl_error.IsCertLikelyFromMultiTenantHosting());
+    EXPECT_TRUE(ssl_error.IsCertLikelyFromSameDomain());
   }
 
   {
@@ -76,6 +77,7 @@ TEST_F(SSLErrorClassificationTest, TestNameMismatch) {
                                              dns_name_tokens_google));
     EXPECT_FALSE(ssl_error.AnyNamesUnderName(dns_name_tokens_google,
                                              host_name_tokens));
+    EXPECT_TRUE(ssl_error.IsCertLikelyFromSameDomain());
   }
 
   {
@@ -93,6 +95,7 @@ TEST_F(SSLErrorClassificationTest, TestNameMismatch) {
                                             dns_name_tokens_google));
     EXPECT_FALSE(ssl_error.AnyNamesUnderName(dns_name_tokens_google,
                                              host_name_tokens));
+    EXPECT_TRUE(ssl_error.IsCertLikelyFromSameDomain());
   }
 
   {
@@ -110,6 +113,7 @@ TEST_F(SSLErrorClassificationTest, TestNameMismatch) {
                                               dns_name_tokens_google));
      EXPECT_FALSE(ssl_error.AnyNamesUnderName(dns_name_tokens_google,
                                               host_name_tokens));
+     EXPECT_FALSE(ssl_error.IsCertLikelyFromSameDomain());
   }
 
   {
@@ -127,6 +131,7 @@ TEST_F(SSLErrorClassificationTest, TestNameMismatch) {
                                              dns_name_tokens_google));
     EXPECT_FALSE(ssl_error.AnyNamesUnderName(dns_name_tokens_google,
                                              host_name_tokens));
+    EXPECT_FALSE(ssl_error.IsCertLikelyFromSameDomain());
   }
 
   scoped_refptr<net::X509Certificate> webkit_cert(
@@ -155,6 +160,7 @@ TEST_F(SSLErrorClassificationTest, TestNameMismatch) {
                                              host_name_tokens));
     EXPECT_TRUE(ssl_error.IsSubDomainOutsideWildcard(host_name_tokens));
     EXPECT_FALSE(ssl_error.IsCertLikelyFromMultiTenantHosting());
+    EXPECT_TRUE(ssl_error.IsCertLikelyFromSameDomain());
   }
 }
 
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index f6f649f..cfdfb82 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -68907,6 +68907,13 @@ To add a new entry, add it with any value and run test to compute valid value.
   <int value="12" label="EXPIRED_RECENTLY: Cert expired within last 28 days.">
 
   </int>
+  <int value="13"
+      label="LIKELY_SAME_DOMAIN: Cert likely belongs to the same domain">
+    This case is recorded if the SSL error is CERT_COMMON_NAME_INVALID error and
+    the hostname in request URL has the same domain (effective TLD + 1 label) as
+    the common name or at least one of the subject alternative names in
+    certificate. This case is not recorded if the host name is not a known tld.
+  </int>
 </enum>
 
 <enum name="SSLErrorHandlerEvent" type="int">
author	bhanudev <bhanudev@google.com>	2015-07-21 11:16:07 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-07-21 18:17:53 +0000
commit	a250ccfb581fb9353c0efe18789df49a91ddb0a5 (patch)
tree	496ff5a4b6d88075004130bf3881e4db703dd65a
parent	73e2f9151f96ca91faa1faf1eb986b5a4fd29ebc (diff)
download	chromium_src-a250ccfb581fb9353c0efe18789df49a91ddb0a5.zip chromium_src-a250ccfb581fb9353c0efe18789df49a91ddb0a5.tar.gz chromium_src-a250ccfb581fb9353c0efe18789df49a91ddb0a5.tar.bz2