net: add prober results to False Start blacklist.

Since the blacklist has gotten rather larger, it's now precompiled
into a hash table in the binary.

See also: http://www.imperialviolet.org/2010/09/05/blacklisting.html

TEST=net_unittests
BUG=none

http://codereview.chromium.org/3303008/show

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@58712 0039d316-1c4b-4281-b951-d872f2087c98

7 files changed, 1132 insertions, 29 deletions

diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index c310cd2..753f1c7 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -3,6 +3,7 @@
 // found in the LICENSE file.
 
 #include "net/base/ssl_config_service.h"
+#include "net/base/ssl_false_start_blacklist.h"
 
 #if defined(OS_WIN)
 #include "net/base/ssl_config_service_win.h"
@@ -58,35 +59,7 @@ bool SSLConfigService::IsKnownStrictTLSServer(const std::string& hostname) {
 // static
 bool SSLConfigService::IsKnownFalseStartIncompatibleServer(
     const std::string& hostname) {
-  // If this list starts growing, it'll need to be something more efficient
-  // than a linear list.
-  static const char kFalseStartIncompatibleServers[][15] = {
-      "www.picnik.com",
-  };
-
-  static const char kFalseStartIncompatibleDomains[][11] = {
-      // Added at the request of A10.
-      "yodlee.com",
-  };
-
-  // Note that the hostname is normalised to lower-case by this point.
-  for (size_t i = 0; i < arraysize(kFalseStartIncompatibleServers); i++) {
-    if (strcmp(hostname.c_str(), kFalseStartIncompatibleServers[i]) == 0)
-      return true;
-  }
-
-  for (size_t i = 0; i < arraysize(kFalseStartIncompatibleDomains); i++) {
-    const char* domain = kFalseStartIncompatibleDomains[i];
-    const size_t len = strlen(domain);
-    if (hostname.size() >= len &&
-        memcmp(&hostname[hostname.size() - len], domain, len) == 0 &&
-        (hostname.size() == len ||
-         hostname[hostname.size() - len - 1] == '.')) {
-      return true;
-    }
-  }
-
-  return false;
+  return SSLFalseStartBlacklist::IsMember(hostname.c_str());
 }
 
 static bool g_dnssec_enabled = false;
diff --git a/net/base/ssl_false_start_blacklist.cc b/net/base/ssl_false_start_blacklist.cc
new file mode 100644
index 0000000..9e0f309
--- /dev/null
+++ b/net/base/ssl_false_start_blacklist.cc
@@ -0,0 +1,34 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/ssl_false_start_blacklist.h"
+
+namespace net {
+
+// static
+bool SSLFalseStartBlacklist::IsMember(const char* host) {
+  const char* last_two_labels = LastTwoLabels(host);
+  if (!last_two_labels)
+    return false;
+  const unsigned bucket = Hash(last_two_labels) & (kBuckets - 1);
+  const uint16 start = kHashTable[bucket];
+  const uint16 end = kHashTable[bucket + 1];
+  const size_t len = strlen(host);
+
+  for (size_t i = start; i < end;) {
+    const size_t blacklist_entry_len = static_cast<uint8>(kHashData[i]);
+    if (len >= blacklist_entry_len &&
+        memcmp(&host[len - blacklist_entry_len], &kHashData[i + 1],
+               blacklist_entry_len) == 0 &&
+        (len == blacklist_entry_len ||
+         host[len - blacklist_entry_len - 1] == '.')) {
+      return true;
+    }
+    i += blacklist_entry_len + 1;
+  }
+
+  return false;
+}
+
+}  // namespace net
diff --git a/net/base/ssl_false_start_blacklist.h b/net/base/ssl_false_start_blacklist.h
new file mode 100644
index 0000000..1d44d0a
--- /dev/null
+++ b/net/base/ssl_false_start_blacklist.h
@@ -0,0 +1,98 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_SSL_FALSE_START_BLACKLIST_H_
+#define NET_BASE_SSL_FALSE_START_BLACKLIST_H_
+
+#include "base/basictypes.h"
+
+namespace net {
+
+// SSLFalseStartBlacklist is a set of domains which we believe to be intolerant
+// to TLS False Start. Because this set is several hundred long, it's
+// precompiled by the code in ssl_false_start_blacklist_process.cc into a hash
+// table for fast lookups.
+class SSLFalseStartBlacklist {
+ public:
+  // IsMember returns true if the given host is in the blacklist.
+  //   host: a DNS name in dotted form (i.e. "www.example.com")
+  static bool IsMember(const char* host);
+
+  // Hash returns the modified djb2 hash of the given string.
+  static unsigned Hash(const char* str) {
+    // This is inline because the code which generates the hash table needs to
+    // use it. However, the generating code cannot link against
+    // ssl_false_start_blacklist.cc because that needs the tables which it
+    // generates.
+    const unsigned char* in = reinterpret_cast<const unsigned char*>(str);
+    unsigned hash = 5381;
+    unsigned char c;
+
+    while ((c = *in++))
+      hash = ((hash << 5) + hash) ^ c;
+    return hash;
+  }
+
+  // LastTwoLabels returns a pointer within |host| to the last two labels of
+  // |host|. For example, if |host| is "a.b.c.d" then LastTwoLabels will return
+  // "c.d".
+  //   host: a DNS name in dotted form.
+  //   returns: NULL on error, otherwise a pointer inside |host|.
+  static const char* LastTwoLabels(const char* host) {
+    // See comment in |Hash| for why this function is inline.
+    const size_t len = strlen(host);
+    if (len == 0)
+      return NULL;
+
+    unsigned dots_found = 0;
+    size_t i;
+    for (i = len - 1; i < len; i--) {
+      if (host[i] == '.') {
+        dots_found++;
+        if (dots_found == 2) {
+          i++;
+          break;
+        }
+      }
+    }
+
+    if (i > len)
+      i = 0;
+
+    if (dots_found == 0)
+      return NULL;  // no names with less than two labels are in the blacklist.
+    if (dots_found == 1) {
+      if (host[0] == '.')
+        return NULL;  // ditto
+    }
+
+    return &host[i];
+  }
+
+  // This is the number of buckets in the blacklist hash table. (Must be a
+  // power of two).
+  static const unsigned kBuckets = 128;
+
+ private:
+  // The following two members are defined in
+  // ssl_false_start_blacklist_data.cc, which is generated by
+  // ssl_false_start_blacklist_process.cc
+
+  // kHashTable contains an offset into |kHashData| for each bucket. The
+  // additional element at the end contains the length of |kHashData|.
+  static const uint16 kHashTable[kBuckets + 1];
+  // kHashData contains the contents of the hash table. |kHashTable| indexes
+  // into this array. Each bucket consists of zero or more, 8-bit length
+  // prefixed strings. Each string is a DNS name in dotted form. For a given
+  // string x, x and *.x are considered to be in the blacklist. In order to
+  // assign a string to a hash bucket, the last two labels (not including the
+  // root label) are hashed. Thus, the bucket for "www.example.com" is
+  // Hash("example.com"). No names that are less than two labels long are
+  // included in the blacklist.
+  static const char kHashData[];
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_SSL_FALSE_START_BLACKLIST_H_
diff --git a/net/base/ssl_false_start_blacklist.txt b/net/base/ssl_false_start_blacklist.txt
new file mode 100644
index 0000000..9b97c57
--- /dev/null
+++ b/net/base/ssl_false_start_blacklist.txt
@@ -0,0 +1,671 @@
+# Copyright (c) 2010 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This is the list of hosts for which we will not perform False Start. It was
+# gathered from probing and bug reports.
+
+# This is included for unit tests:
+example.com
+
+123.cht.com.tw
+4science.net
+abangdani.wordpress.com
+access.arkansas.gov
+accessgeneral.com
+accessingram.com
+accorservicesdirect.net
+adfox.cz
+ads.bridgetrack.com
+adult.dl.rakuten.co.jp
+adulthire.com
+advanceautoparts.com
+agents.nationalsecuritygroup.com
+alamode.com
+algoritam.hr
+alsformalwear.com
+alucmo.com
+amail.centrum.cz
+amexweb.com.mx
+amsi.alliedgroup.net
+amwaylive.com
+anntaylor.recruitmax.com
+apps.revenuecycle.com
+aps2.toshiba-tro.de
+apus.edu
+aribabuyer.us.dell.com
+ariston.es
+asb.dk
+ashgate.com
+ashleymadison.com
+asp.fm-pc.com
+atari.com
+ats.openhire.com
+attask-ondemand.com
+attask.com
+axa.co.uk
+banking.ing-diba.at
+baptisthealth.net
+barkoff.tv
+barracudaserver.com
+barronscatalog.com
+bb3.utc.edu
+bcbsfl.recruitmax.com
+bentley.edu
+biddingforgood.com
+biffalo.net
+bilder.buecher.de
+bishops.org.za
+bitfang.com
+blogger.huffingtonpost.com
+brinksinc.com
+buecher.de
+buildings.com
+bux.ee
+buyshakeweightformen.com
+cagreatamerica.com
+candydirect.com
+cardsdirect.com
+caringbridge.org
+cash.netmarble.net
+ccmail.cc.gatech.edu
+celebrateyourfaith.com
+centralr.com
+certs.zurich.co.uk
+champions-online.com
+chnla.com
+chw.recruitmax.com
+ciaoitalia.com
+cinema.warnermycal.com
+circlesofwisdom.com
+cisr-ssl-vpn2.univ-lyon1.fr
+citi.bridgetrack.com
+citizensfla.com
+claritycon.com
+classbauth.austin.hp.com
+cofunds.co.uk
+combattesting.com
+compaxtrade.com
+confirmit.suw.corp.google.com
+coopervisionrebates.com
+corporate.bpn.pt
+correo.uft.cl
+credinamico.programapar.com.br
+creditcards.citicards.com
+cts.vresp.com
+cubizone.com
+customer.precash.com
+cvintranet.classifiedventures.com
+d49.org
+depo.ru
+destinationlighting.com
+djmmusic.com
+dl.rakuten.co.jp
+dmgov.org
+docstoc.com
+docuware.com
+dokeos.ehb.be
+drammen.skole.d-ikt.no
+drsha.com
+dskdirect.bg
+dwarest.disc.co.jp
+easybillindia.in
+easyswitch.nl
+ebb.ubb.bg
+ebit.com.br
+echo.com
+echotrak.com
+econda-monitor.de
+edaccents.com
+edumail.tokem.fi
+eduportal.pl
+elm.mcmaster.ca
+elmls.mcmaster.ca
+email.manutouch.com.hk
+email.wsd1.org
+email.yorksj.ac.uk
+employee.translink.bc.ca
+ent.enteduc.fr
+enterprise.channeladvisor.com
+epk.tv
+epoti.abanka.si
+equippers.com
+eumail.nov.com
+eurobank.pl
+exchange.chc.be
+exchange.hostnet.nl
+exchange.selco.info
+external1.collaboration.hp.com
+extra.chrysler.de
+extranet.cchmc.org
+faxbetter.com
+fdc.org.br
+financialengines.com
+firstam.net
+flydenver.com
+forums.champions-online.com
+forums.startrekonline.com
+fucam.ac.be
+fullseat.com
+futuretrails.com
+ganymede.chester.ac.uk
+gateway.madisoncity.k12.al.us
+genuineonlinebank.com
+getslimtsnow.com
+global2.mtsallstream.com
+go.enbw.net
+goamp.com
+gomopa.net
+goredsea.com
+gotobelfast.com
+greenpower24.com
+gw2.fli.bund.de
+haken.mynavi.jp
+hangikredi.com
+hastingsdirect.com
+hearablog.com
+heavens-above.com
+helpdesk.clear2pay.com
+helwanbb.com
+hercle.com
+hivanet.hitachi-ies.co.jp
+hoken-clinic.info
+homedepotrebates.com
+honeybakedonline.com
+hood.com
+hostedjobs.openhire.com
+howtowritearesume.net
+humana.recruitmax.com
+hurmail01.hurriyet.com.tr
+hydra.cusys.edu
+hz.nl
+il.systemb2b.com
+il2l.com
+indraweb.indra.es
+ineways.com
+info.enet-japan.com
+infonet.hz.nl
+inside.nhl.com
+insight.smartdm.com
+integrishealth.recruitmax.com
+interiorsandsources.com
+internal.imaginets.com
+intra.billing.ru
+intranet.peckham.org
+intranet.ucol.ac.nz
+inverhills.edu
+iol.pt
+iqsystem.irrc.co.jp
+ito.org.tr
+itrade.fhtrust.com.tw
+iweb.thebankersbank.com
+j-union.com
+jasaga.or.jp
+jnet.agsys.sompo-japan.co.jp
+job.disc.co.jp
+job.nikkei.co.jp
+jobmgr.disc.co.jp
+kahosl.be
+keas.com
+kimberlyclark.myvurv.com
+king-invest.net
+kingsdominion.com
+kingsroadmerch.com
+kwiktrip.com
+leerlingmail.niftarlake.nl
+legalconnection.com
+lightstone.co.za
+login-pos.eurobank.pl
+login-raty.eurobank.pl
+lxr.com
+maartenluther.calvijn.nl
+magelo.com
+magtek.com
+mail.centrum.cz
+mail.extranet.hp.com
+mail.gtri.gatech.edu
+mail.gunnebo.com
+mail.hoover.k12.al.us
+mail.hzeeland.nl
+mail.idera.com
+mail.ilsole24ore.com
+mail.jetblue.com
+mail.officebroker.com
+mail.oma.nl
+mail.rawlinscollege.org.uk
+mail.rcsdk12.org
+mail.silmu.fi
+mail.sinclair.edu
+mail.skmc.gov.ae
+mail.the-ascott.com
+mail.tox-us.com
+mail.ugs.com
+mail.uottawa.ca
+mail.yvc.ac.il
+mail2.law.stetson.edu
+mail2.skanetrafiken.se
+mailhub1.cpsb.org
+mailhub2.cpsb.org
+marshallsonline.com
+massport.com
+mediabistro.com
+member.yong-online.com.tw
+merchantonlineapp.com
+merrickbank.com
+metalinq.com
+miele.co.uk
+miller.co.jp
+mishlohim.co.il
+mizunoshop.net
+mochibot.com
+mochigames.com
+mochimedia.com
+moss.esher.ac.uk
+msexchange.lyon.edu
+msishopper.net
+mtsexchange.mtsn.org.uk
+mudy.info
+my.bentley.edu
+my.berkeleycollege.edu
+my.dover.edu
+my.ecwid.com
+my.wcupa.edu
+mycls.cls.ch
+myoffice.eu.goodyear.com
+myoffice.na.goodyear.com
+myparceldelivery.com
+na.ntrsupport.com
+naramail.nara.gov
+neospeech.com
+nettkontoret.kredinor.no
+neways.com
+newaysonline.com
+newvistalive.com
+nochex.com
+noridian.totalonboarding.com
+noticiastelemicro.com
+nr.edu
+nuwaveoven.com
+online.eurobank.pl
+onyxinv.com
+orix-sumai.jp
+osvinc.com
+otpbank.hu
+owa.dist113.org
+owa.kajak.fi
+owa.kan.se
+owa.nordakademie.de
+owa.tecnicasreunidas.es
+owa2k3.bhw.de
+parfumdreams.de
+partner.buzzcity.com
+partners.conocophillipsalaska.com
+pastel.co.za
+perfectmoney.com
+picnik.com
+pimkie.de
+pimkie.es
+pimkie.fr
+pimkie.it
+pineconeresearch.com
+planet-tachyon.com
+playneverwinter.com
+pocket.matsui.co.jp
+pokervt.com
+poolzconnect.singaporepools.com.sg
+popularglasses.com
+portaal.nh1816.nl
+portail.mont-notre-dame.qc.ca
+portal.eduweb.vic.gov.au
+portal.eiffel.nl
+portal.hello.ch
+portal.klz.org.uk
+portal.langara.bc.ca
+portal.mariestad.se
+portal.peckham.org
+portal.perse.co.uk
+portal.tku.ac.jp
+post.norwegian.no
+posta.dsi.gov.tr
+powerschool.ccsdut.net
+powerschool.lawrence.k12.ma.us
+profil.centrum.cz
+projectinsight.cbre.com
+providers.tufts-health.com
+ps.dvusd.org
+ps.glenbard.org
+ps.liberty.k12.mo.us
+psyquel.com
+pushentertainment.com
+q8car.com
+qisweb2-verw.uni-hohenheim.de
+quotien.onlinebank.com
+rainforest-alliance.org
+rakuraku-market.com
+rbc.bridgetrack.com
+rc.kotoha.co.jp
+remote.cushingco.com
+reprofinance.com
+restaurantwedding.jp
+rio.edu
+rlcdn.com
+rmg.i-grasp.com
+rosevalleyindia.com
+rotaban.ru
+rozodoniy.com
+rpv.fbn.ca
+rr.com
+run.auone.jp
+runnet.jp
+s-yoyaku.city.sagamihara.kanagawa.jp
+s-yoyaku.city.urayasu.chiba.jp
+safelinkwireless.com
+sail.iwcc.edu
+samba.huji.ac.il
+samsami2u.wordpress.com
+samstores.com
+sap.kenexa.com
+saratogaschools.org
+scottsliquidgold.com
+search.boox.jp
+search.petfinder.com
+secure.cambrianc.on.ca
+secure.court.gov.il
+secure.discountadvances.com
+secure.earthclassmail.com
+secure.merchantcart.net
+secure.mycashnow.com
+secure.nochex.com
+secure.paydaymax.com
+secure.www.denverpost.com
+secure.www.mercurynews.com
+secure.www.twincities.com
+secure.zeelandnet.nl
+secure.zoominfo.com
+secureaccess.cacu.com
+securedlogons.humanadental.com
+seha.ae
+selfcare.rr.com
+services.bag-mail.de
+shakeweight.com
+shiki.gr.jp
+showcase-tv.com
+shsremote.solarishs.org
+sierranevada.com
+sis.ggusd.us
+sisense.com
+smart.otpbanka.hr
+sobexinvest.com
+socketstore.co.uk
+soundvision.com
+spalding.edu
+sprintrebates.com
+squareup.com
+ss3.e-state.co.jp
+ssl.arcsoft.com
+sslvpn.broadcom.com
+sslvpn.savannah.chatham.k12.ga.us
+staffmail.brighton.ac.uk
+staffportal.bne.catholic.edu.au
+stapleseasyrebates.com
+startnextweek.com.au
+startrekonline.com
+ste-exch1.nhc.ac.uk
+stores.channeladvisor.com
+strideeveryday.com
+studentdata.warwick.ac.uk
+studynet.dem.hva.nl
+subjectivemetrics.com
+survey5.spss-asp.com
+surveys.itsyourview.com
+suvana.com
+svelvik.skole.d-ikt.no
+syllabus.doshisha.ac.jp
+sys.ins-uni.co.jp
+taocan777.com
+teetimesusa.com
+terrabanking.romexterra.ro
+testdriveunlimited2.com
+tgn.co.jp
+tgw.com
+thecinema.in
+thediamondstore.co.uk
+thor.movistar.com.co
+thymes.com
+tlfw01.fhsg.ch
+tools.med.nyu.edu
+topfox.co.uk
+totalcore.com
+tracs.txstate.edu
+trialpay.com
+tryshakeweight.com
+trytotalpillow.com
+tvspy.com
+tw.event.gamania.com
+ucol.ac.nz
+ukblelite01.emea.aza-lite.com
+ukblelite02.emea.aza-lite.com
+uni-hohenheim.de
+user.centrum.cz
+usuwazavpn04.americas.aza-lite.com
+vcsportal.viasyscs.com
+vle.guilsborough.northants.sch.uk
+voogd.com
+vpn-01.houstonisd.org
+vpn-03.houstonisd.org
+vpn-04.houstonisd.org
+vpn.tarumanagara.com
+vr.is
+vtrade.vincomsc.com.vn
+warranty.akeryards.as
+web-opas.osakaya.co.jp
+webaccess.7p-group.com
+webaccess.pvhs.org
+webbt.banque-tahiti.pf
+webforensics.co.uk
+webmail.asb.dk
+webmail.austmus.gov.au
+webmail.bne.catholic.edu.au
+webmail.bose.com
+webmail.choa.org
+webmail.csaa.com
+webmail.firstam.net
+webmail.hrblock.com
+webmail.ingbank.com.tr
+webmail.kapsch.net
+webmail.levinglobal.com
+webmail.lolland.dk
+webmail.mopera.net
+webmail.mt.gov
+webmail.newlook.net
+webmail.ordina.nl
+webmail.peelpolice.ca
+webmail.springer-sbm.com
+webmail.srhs.com
+webmail.toho-u.ac.jp
+webmail.transat.com
+webmail.tribune.com
+webmail.tuev-nord.de
+webmail.valamar.com
+webmail.waterman-group.co.uk
+webmail.wcupa.edu
+webmaildata.rr.com
+webshop.weijntjes.nl
+webvpn.au.aecom.com
+webvpn.ben.edu
+webvpn.eu.aecom.com
+webvpn.usaa.com
+webvpn.usps.gov
+welltrix.com
+werecoverdata.com
+wettstar.de
+workhere.jetblue.com
+wowbeez.com
+ws.licenzji-vetturi.gov.mt
+wtc.lxr.com
+www.accessgeneral.com
+www.accessingram.com
+www.adfox.cz
+www.agromercantil.com.gt
+www.algoritam.hr
+www.amu.apus.edu
+www.amwaylive.com
+www.anoka.k12.mn.us
+www.apus.edu
+www.aramex.net
+www.asb.dk
+www.ashleymadison.com
+www.aussiecupid.com.au
+www.azimut.portail.soquij.qc.ca
+www.benefitsconnect.net
+www.bsnparentnet.nl
+www.buecher.de
+www.cardsdirect.com
+www.caringbridge.org
+www.cashpoint.com
+www.centralr.com
+www.champions-online.com
+www.chineselovelinks.com
+www.citizensfla.com
+www.cmarket.com
+www.coop-kobe.net
+www.costco.com.mx
+www.cubizone.com
+www.cupidmedia.com
+www.dandh.com
+www.djmmusic.com
+www.docstoc.com
+www.docuware.com
+www.dskdirect.bg
+www.dualsaw.com
+www.e-denpo.net
+www.e-zoa.com
+www.easy-share.com
+www.echo.com
+www.echotrak.com
+www.econda-monitor.de
+www.edumail.vic.gov.au
+www.eduweb.vic.gov.au
+www.empresas.bancobcr.com
+www.eurobank.pl
+www.expesite.com
+www.fareastcafe.co.jp
+www.feitest.com
+www.filipinaheart.com
+www.financialengines.com
+www.firstassistinsurance.com
+www.frankfurt-oder.de
+www.fucam.ac.be
+www.goamp.com
+www.golfdo.com
+www.gomopa.net
+www.hangikredi.com
+www.hastingsdirect.com
+www.hastingsessential.com
+www.helwanbb.com
+www.homedepotrebates.com
+www.hongkongcupid.com
+www.ihale.gov.tr
+www.improvementscatalog.com
+www.inetportals.com
+www.internationalcupid.com
+www.inverhills.edu
+www.iol.pt
+www.istyle.com.tw
+www.jerusalem.muni.il
+www.krungsricashlink.com
+www.kultur.gov.tr
+www.m-pesa.com
+www.mallorca.co.uk
+www.marshallsonline.com
+www.meadsd.net
+www.mediabistro.com
+www.merrickbank.com
+www.microline.hr
+www.miller.co.jp
+www.mishlohim.co.il
+www.mochibot.com
+www.mochigames.com
+www.mochimedia.com
+www.mochipass.com
+www.moe.gov.ae
+www.mof.go.jp
+www.montimbrenligne.laposte.fr
+www.mopera.net
+www.mp4all.nl
+www.msishopper.net
+www.mypoint.com
+www.nbch.com.ar
+www.ncatrak.org
+www.neways.com
+www.newaysonline.com
+www.nhk-ep.com
+www.nochex.com
+www.officemd.net
+www.onlineaha.org
+www.otpbank.hu
+www.pagport.jp
+www.pandorashop.nl
+www.picnik.com
+www.promptparts.com
+www.q8car.com
+www.redbullcontentpool.com
+www.regmurcia.com
+www.riksgalden.se
+www.rotaban.ru
+www.rr.com
+www.safelinkwireless.com
+www.samstores.com
+www.sharedoc.com
+www.smarttickets.com.au
+www.smartypig.com
+www.smiles.caisse-epargne.fr
+www.sprintrebates.com
+www.stapleseasyrebates.com
+www.startrekonline.com
+www.store.limewire.com
+www.supplier.nokia.com
+www.thailovelinks.com
+www.thecinema.in
+www.themls.com
+www.tjmaxx.com
+www.tnc.ne.jp
+www.topfox.co.uk
+www.toranoana.jp
+www.trialpay.com
+www.tryabcircle.com
+www.tzamtzam.co.il
+www.ucol.ac.nz
+www.user.zoominfo.com
+www.variety.com
+www.vietnamcupid.com
+www.voogd.com
+www.vpn.cmu.edu
+www.wettstar.de
+www.wiso.uni-hamburg.de
+www.worthington-portal.org
+www.wowbeez.com
+www.y-do.net
+www.yourwirelessrebatecenter.com
+www.zenfolio.com
+www.zenryonetwork.com
+www.zoominfo.com
+www1.cat365.net
+www1.ticket-web-shochiku.com
+www2.fakton.nl
+www2.proexam.org
+www2.secom-techno.co.jp
+www2.ticket-web-shochiku.com
+www6.hsmv.state.fl.us
+wwws.jp-bank.japanpost.jp
+wwy01.shiki.gr.jp
+wynbilling.wyndhamworldwide.com
+wynnmacau.recruitmax.com
+xbox.redeemer.ab.ca
+yodlee.com
+yourwirelessrebatecenter.com
+yoyaku.city.funabashi.chiba.jp
+yoyaku.city.hachioji.tokyo.jp
+zenfolio.com
+zoominfo.com
+zumbafitness.com
diff --git a/net/base/ssl_false_start_blacklist_process.cc b/net/base/ssl_false_start_blacklist_process.cc
new file mode 100644
index 0000000..ed67c8f
--- /dev/null
+++ b/net/base/ssl_false_start_blacklist_process.cc
@@ -0,0 +1,267 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// This utility program exists to process the False Start blacklist file into
+// a static hash table so that it can be efficiently queried by Chrome.
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <set>
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/logging.h"
+#include "net/base/ssl_false_start_blacklist.h"
+
+using net::SSLFalseStartBlacklist;
+
+static const unsigned kBuckets = SSLFalseStartBlacklist::kBuckets;
+
+static int
+usage(const char* argv0) {
+  fprintf(stderr, "Usage: %s <blacklist file> <output .c file>\n", argv0);
+  return 1;
+}
+
+// StripWWWPrefix removes "www." from the beginning of any elements of the
+// vector.
+static void StripWWWPrefix(std::vector<std::string>* hosts) {
+  static const char kPrefix[] = "www.";
+  static const unsigned kPrefixLen = sizeof(kPrefix) - 1;
+
+  for (size_t i = 0; i < hosts->size(); i++) {
+    const std::string& h = (*hosts)[i];
+    if (h.size() >= kPrefixLen &&
+        memcmp(h.data(), kPrefix, kPrefixLen) == 0) {
+      (*hosts)[i] = h.substr(kPrefixLen, h.size() - kPrefixLen);
+    }
+  }
+}
+
+// RemoveDuplicateEntries removes all duplicates from |hosts|.
+static void RemoveDuplicateEntries(std::vector<std::string>* hosts) {
+  std::set<std::string> hosts_set;
+  std::vector<std::string> ret;
+
+  for (std::vector<std::string>::const_iterator
+       i = hosts->begin(); i != hosts->end(); i++) {
+    if (hosts_set.count(*i)) {
+      LOG(INFO) << "Removing duplicate entry for " << *i;
+      continue;
+    }
+    hosts_set.insert(*i);
+    ret.push_back(*i);
+  }
+
+  hosts->swap(ret);
+}
+
+// ParentDomain returns the parent domain for a given domain name or the empty
+// string if the name is a top-level domain.
+static std::string ParentDomain(const std::string& in) {
+  for (size_t i = 0; i < in.size(); i++) {
+    if (in[i] == '.') {
+      return in.substr(i + 1, in.size() - i - 1);
+    }
+  }
+
+  return std::string();
+}
+
+// RemoveRedundantEntries removes any entries which are subdomains of other
+// entries. (i.e. foo.example.com would be removed if example.com were also
+// included.)
+static void RemoveRedundantEntries(std::vector<std::string>* hosts) {
+  std::set<std::string> hosts_set;
+  std::vector<std::string> ret;
+
+  for (std::vector<std::string>::const_iterator
+       i = hosts->begin(); i != hosts->end(); i++) {
+    hosts_set.insert(*i);
+  }
+
+  for (std::vector<std::string>::const_iterator
+       i = hosts->begin(); i != hosts->end(); i++) {
+    std::string parent = ParentDomain(*i);
+    while (!parent.empty()) {
+      if (hosts_set.count(parent))
+        break;
+      parent = ParentDomain(parent);
+    }
+    if (parent.empty()) {
+      ret.push_back(*i);
+    } else {
+      LOG(INFO) << "Removing " << *i << " as redundant";
+    }
+  }
+
+  hosts->swap(ret);
+}
+
+// CheckLengths returns true iff every host is less than 256 bytes long (not
+// including the terminating NUL) and contains two or more labels.
+static bool CheckLengths(const std::vector<std::string>& hosts) {
+  for (std::vector<std::string>::const_iterator
+       i = hosts.begin(); i != hosts.end(); i++) {
+     if (i->size() >= 256) {
+       LOG(ERROR) << "Entry " << *i << " is too large";
+       return false;
+     }
+     if (SSLFalseStartBlacklist::LastTwoLabels(i->c_str()) == NULL) {
+       LOG(ERROR) << "Entry " << *i << " contains to few labels";
+       return false;
+     }
+  }
+
+  return true;
+}
+
+int main(int argc, char** argv) {
+  if (argc != 3)
+    return usage(argv[0]);
+
+  const char* input_file = argv[1];
+  const char* output_file = argv[2];
+  FILE* input = fopen(input_file, "r");
+  if (!input) {
+    perror("open");
+    return usage(argv[0]);
+  }
+
+  if (fseek(input, 0, SEEK_END)) {
+    perror("fseek");
+    return 1;
+  }
+
+  const long input_size = ftell(input);
+
+  if (fseek(input, 0, SEEK_SET)) {
+    perror("fseek");
+    return 1;
+  }
+
+  char* buffer = static_cast<char*>(malloc(input_size));
+  if (fread(buffer, input_size, 1, input) != 1) {
+    perror("fread");
+    free(buffer);
+    fclose(input);
+    return 1;
+  }
+  fclose(input);
+
+  std::vector<std::string> hosts;
+
+  off_t line_start = 0;
+  bool is_comment = false;
+  bool non_whitespace_seen = false;
+  for (long i = 0; i <= input_size; i++) {
+    if (i == input_size || buffer[i] == '\n') {
+      if (!is_comment && non_whitespace_seen)
+        hosts.push_back(std::string(&buffer[line_start], i - line_start));
+      is_comment = false;
+      non_whitespace_seen = false;
+      line_start = i + 1;
+      continue;
+    }
+
+    if (i == line_start && buffer[i] == '#')
+      is_comment = true;
+    if (buffer[i] != ' ' && buffer[i] != '\t')
+      non_whitespace_seen = true;
+  }
+  free(buffer);
+
+  LOG(INFO) << "Have " << hosts.size() << " hosts after parse";
+  StripWWWPrefix(&hosts);
+  RemoveDuplicateEntries(&hosts);
+  LOG(INFO) << "Have " << hosts.size() << " hosts after removing duplicates";
+  RemoveRedundantEntries(&hosts);
+  LOG(INFO) << "Have " << hosts.size() << " hosts after removing redundants";
+  if (!CheckLengths(hosts)) {
+    LOG(ERROR) << "One or more entries is too large or too small";
+    return 2;
+  }
+
+  LOG(INFO) << "Using " << kBuckets << " entry hash table";
+  uint16 table[kBuckets];
+  std::vector<std::string> buckets[kBuckets];
+
+  for (std::vector<std::string>::const_iterator
+       i = hosts.begin(); i != hosts.end(); i++) {
+    const char* last_two_labels =
+        SSLFalseStartBlacklist::LastTwoLabels(i->c_str());
+    const unsigned h = SSLFalseStartBlacklist::Hash(last_two_labels);
+    buckets[h & (kBuckets - 1)].push_back(*i);
+  }
+
+  std::string table_data;
+  unsigned max_bucket_size = 0;
+  for (unsigned i = 0; i < kBuckets; i++) {
+    if (table_data.size() > 65535) {
+      LOG(ERROR) << "Hash table overflowed a uint16 index";
+      return 3;
+    }
+
+    if (buckets[i].size() > max_bucket_size)
+      max_bucket_size = buckets[i].size();
+
+    table[i] = table_data.size();
+    for (std::vector<std::string>::const_iterator
+         j = buckets[i].begin(); j != buckets[i].end(); j++) {
+      table_data.push_back((char) j->size());
+      table_data.append(*j);
+    }
+  }
+
+  LOG(INFO) << "Largest bucket has " << max_bucket_size << " entries";
+
+  FILE* out = fopen(output_file, "w+");
+  if (!out) {
+    perror("opening output file");
+    return 4;
+  }
+
+  fprintf(out, "// Copyright (c) 2010 The Chromium Authors. All rights "
+          "reserved.\n// Use of this source code is governed by a BSD-style "
+          "license that can be\n// found in the LICENSE file.\n\n");
+  fprintf(out, "// WARNING: this code is generated by\n"
+               "// ssl_false_start_blacklist_process.cc. Do not edit.\n\n");
+  fprintf(out, "#include \"base/basictypes.h\"\n\n");
+  fprintf(out, "#include \"net/base/ssl_false_start_blacklist.h\"\n\n");
+  fprintf(out, "namespace net {\n\n");
+  fprintf(out, "const uint16 SSLFalseStartBlacklist::kHashTable[%d + 1] = {\n",
+          kBuckets);
+  for (unsigned i = 0; i < kBuckets; i++) {
+    fprintf(out, "  %d,\n", (int) table[i]);
+  }
+  fprintf(out, "  %d,\n", (int) table_data.size());
+  fprintf(out, "};\n\n");
+
+  fprintf(out, "const char SSLFalseStartBlacklist::kHashData[] = \n");
+  for (unsigned i = 0, line_length = 0; i < table_data.size(); i++) {
+    if (line_length == 0)
+      fprintf(out, "  \"");
+    uint8 c = static_cast<uint8>(table_data[i]);
+    if (c < 32 || c > 127 || c == '"') {
+      fprintf(out, "\\%c%c%c", '0' + ((c >> 6) & 7), '0' + ((c >> 3) & 7),
+              '0' + (c & 7));
+      line_length += 4;
+    } else {
+      fprintf(out, "%c", c);
+      line_length++;
+    }
+    if (i == table_data.size() - 1) {
+      fprintf(out, "\";\n");
+    } else if (line_length >= 70) {
+      fprintf(out, "\"\n");
+      line_length = 0;
+    }
+  }
+  fprintf(out, "\n}  // namespace net\n");
+  fclose(out);
+
+  return 0;
+}
diff --git a/net/base/ssl_false_start_blacklist_unittest.cc b/net/base/ssl_false_start_blacklist_unittest.cc
new file mode 100644
index 0000000..7ade428
--- /dev/null
+++ b/net/base/ssl_false_start_blacklist_unittest.cc
@@ -0,0 +1,28 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/ssl_false_start_blacklist.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+TEST(SSLFalseStartBlacklistTest, LastTwoLabels) {
+#define F net::SSLFalseStartBlacklist::LastTwoLabels
+  EXPECT_STREQ(F("a.b.c.d"), "c.d");
+  EXPECT_STREQ(F("a.b"), "a.b");
+  EXPECT_STREQ(F("example.com"), "example.com");
+  EXPECT_STREQ(F("www.example.com"), "example.com");
+  EXPECT_STREQ(F("www.www.example.com"), "example.com");
+
+  EXPECT_TRUE(F("com") == NULL);
+  EXPECT_TRUE(F(".com") == NULL);
+  EXPECT_TRUE(F("") == NULL);
+#undef F
+}
+
+TEST(SSLFalseStartBlacklistTest, IsMember) {
+  EXPECT_TRUE(net::SSLFalseStartBlacklist::IsMember("example.com"));
+  EXPECT_TRUE(net::SSLFalseStartBlacklist::IsMember("www.example.com"));
+  EXPECT_TRUE(net::SSLFalseStartBlacklist::IsMember("a.b.example.com"));
+  EXPECT_FALSE(net::SSLFalseStartBlacklist::IsMember("aexample.com"));
+  EXPECT_FALSE(net::SSLFalseStartBlacklist::IsMember("com"));
+}
diff --git a/net/net.gyp b/net/net.gyp
index 1814d59..2f8bb2d 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -19,6 +19,7 @@
         '../third_party/icu/icu.gyp:icuuc',
         '../third_party/zlib/zlib.gyp:zlib',
         'net_resources',
+        'ssl_false_start_blacklist_process',
       ],
       'sources': [
         'base/address_family.h',
@@ -165,6 +166,7 @@
         'base/ssl_config_service_mac.h',
         'base/ssl_config_service_win.cc',
         'base/ssl_config_service_win.h',
+        'base/ssl_false_start_blacklist.cc',
         'base/ssl_info.cc',
         'base/ssl_info.h',
         'base/static_cookie_policy.cc',
@@ -199,6 +201,25 @@
       'export_dependent_settings': [
         '../base/base.gyp:base',
       ],
+      'actions': [
+        {
+          'action_name': 'ssl_false_start_blacklist',
+          'inputs': [
+            '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)ssl_false_start_blacklist_process<(EXECUTABLE_SUFFIX)',
+            'base/ssl_false_start_blacklist.txt',
+          ],
+          'outputs': [
+            '<(SHARED_INTERMEDIATE_DIR)/net/base/ssl_false_start_blacklist_data.cc',
+          ],
+          'action':
+            ['<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)ssl_false_start_blacklist_process<(EXECUTABLE_SUFFIX)',
+             'base/ssl_false_start_blacklist.txt',
+              '<(SHARED_INTERMEDIATE_DIR)/net/base/ssl_false_start_blacklist_data.cc',
+            ],
+          'message': 'Generating SSL False Start blacklist',
+          'process_outputs_as_sources': 1,
+        },
+      ],
       'conditions': [
         [ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', {
             'dependencies': [
@@ -732,6 +753,7 @@
         'base/ssl_config_service_mac_unittest.cc',
         'base/ssl_config_service_unittest.cc',
         'base/ssl_config_service_win_unittest.cc',
+        'base/ssl_false_start_blacklist_unittest.cc',
         'base/static_cookie_policy_unittest.cc',
         'base/transport_security_state_unittest.cc',
         'base/test_certificate_data.h',
@@ -1112,6 +1134,16 @@
         'tools/hresolv/hresolv.cc',
       ],
     },
+    {
+      'target_name': 'ssl_false_start_blacklist_process',
+      'type': 'executable',
+      'dependencies': [
+        '../base/base.gyp:base',
+      ],
+      'sources': [
+        'base/ssl_false_start_blacklist_process.cc',
+      ],
+    },
   ],
   'conditions': [
     # ['OS=="linux"', {