diff options
| author | felt@chromium.org <felt@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-23 06:38:19 +0000 |
|---|---|---|
| committer | felt@chromium.org <felt@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-23 06:38:19 +0000 |
| commit | 903df2b59e2d2456350c5bcec4b9b7310b030606 (patch) | |
| tree | 3c6ad155baf865010a3dd90cb5a66ba060738ded | |
| parent | 6691c1970cc88db1178f669605965bb26d02a9d2 (diff) | |
| download | chromium_src-903df2b59e2d2456350c5bcec4b9b7310b030606.zip chromium_src-903df2b59e2d2456350c5bcec4b9b7310b030606.tar.gz chromium_src-903df2b59e2d2456350c5bcec4b9b7310b030606.tar.bz2 | |
Update SSL error "detail" strings
Glen and Alex suggested putting all of the "detail" strings for overridable errors into the following format:
This server could not prove that it is example.com; <INSERT SHORT REASON HERE>. This may be caused by a misconfiguration or an attacker intercepting your connection.
BUG=
Review URL: https://codereview.chromium.org/404923002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@284867 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/app/chromium_strings.grd | 21 | ||||
| -rw-r--r-- | chrome/app/generated_resources.grd | 17 | ||||
| -rw-r--r-- | chrome/app/google_chrome_strings.grd | 21 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_error_info.cc | 19 |
4 files changed, 40 insertions, 38 deletions
diff --git a/chrome/app/chromium_strings.grd b/chrome/app/chromium_strings.grd index 70ce6c1..58e7445 100644 --- a/chrome/app/chromium_strings.grd +++ b/chrome/app/chromium_strings.grd @@ -262,26 +262,21 @@ be available for now. --> <message name="IDS_CERT_ERROR_COMMON_NAME_INVALID_EXTRA_INFO_2" desc="2nd paragraph of extra information for an unsafe common name in an X509 certificate"> In this case, the address listed in the certificate does not match the address of the website your browser tried to go to. One possible reason for this is that your communications are being intercepted by an attacker who is presenting a certificate for a different website, which would cause a mismatch. Another possible reason is that the server is set up to return the same certificate for multiple websites, including the one you are attempting to visit, even though that certificate is not valid for all of those websites. Chromium can say for sure that you reached <strong><ph name="DOMAIN2">$1<ex>paypal.com</ex></ph></strong>, but cannot verify that that is the same site as <strong><ph name="DOMAIN">$2<ex>www.paypal.com</ex></ph></strong> which you intended to reach. If you proceed, Chromium will not check for any further name mismatches. </message> - <message name="IDS_CERT_ERROR_EXPIRED_DETAILS" desc="Details for an expired X509 certificate"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented an expired certificate. No information is available to indicate whether that certificate has been compromised since its expiration. This means Chromium cannot guarantee that you are communicating with <strong><ph name="DOMAIN2">$2<ex>paypal.com</ex></ph></strong> and not an attacker. Your computer's clock is currently set to <ph name="CURRENT_TIME">$3<ex>Monday, July 18th, 2012 12:31PM</ex></ph>. Does that look right? If not, you should correct the error and refresh this page. - </message> - <message name="IDS_CERT_ERROR_NOT_YET_VALID_DETAILS" desc="Details for an X509 certificate that is not yet valid"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented a certificate that is not yet valid. No information is available to indicate whether that certificate can be trusted. Chromium cannot reliably guarantee that you are communicating with <strong><ph name="DOMAIN2">$2<ex>paypal.com</ex></ph></strong> and not an attacker. Your computer's clock is currently set to <ph name="CURRENT_TIME">$3<ex>Monday, July 18th, 2012 12:31PM</ex></ph>. Does that look right? If not, you should correct your system's clock and then refresh this page. - </message> <if expr="is_ios"> <message name="IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS" desc="Details for an X509 certificate with an invalid authority"> - You attempted to reach <strong><ph -name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented a certificate issued by an entity that is not trusted by Chromium. This may mean that the server has generated its own security credentials, which Chromium cannot rely on for identity information, or an attacker may be trying to intercept your communications. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is not trusted by Chromium. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> </if> - <if expr="not is_ios"> + <if expr="is_android"> <message name="IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS" desc="Details for an X509 certificate with an invalid authority"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chromium cannot rely on for identity information, or an attacker may be trying to intercept your communications. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is not trusted by your device's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection. + </message> + </if> + <if expr="not is_ios and not is_android"> + <message name="IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS" desc="Details for an X509 certificate with an invalid authority"> + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> </if> - <message name="IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS" desc="Details of the error page for an X509 certificate that contains errors"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the certificate that the server presented contains errors. Chromium cannot use a certificate with errors and cannot validate the identity of the site that you have attempted to connect to. - </message> <message name="IDS_TASK_MANAGER_TITLE" desc="The title of the Task Manager window"> Task Manager - Chromium </message> diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd index 9ba345c..5171dc8 100644 --- a/chrome/app/generated_resources.grd +++ b/chrome/app/generated_resources.grd @@ -2454,7 +2454,7 @@ Even if you have downloaded files from this website before, the website might ha This is probably not the site you are looking for! </message> <message name="IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS" desc="Details for an unsafe common name in an X509 certificate"> - You attempted to reach <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>, but instead you actually reached a server identifying itself as <ph name="DOMAIN2"><strong>$2<ex>fakepaypal.com</ex></strong></ph>. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of <ph name="DOMAIN3"><strong>$3<ex>paypal.com</ex></strong></ph>. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is from <ph name="DOMAIN2"><strong>$2<ex>fakepaypal.com</ex></strong></ph>. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> <message name="IDS_CERT_ERROR_COMMON_NAME_INVALID_DESCRIPTION" desc="Description for an unsafe common name in an X509 certificate"> Server's certificate does not match the URL. @@ -2463,6 +2463,9 @@ Even if you have downloaded files from this website before, the website might ha <message name="IDS_CERT_ERROR_EXPIRED_TITLE" desc="Title for an expired X509 certificate"> The site's security certificate has expired! </message> + <message name="IDS_CERT_ERROR_EXPIRED_DETAILS" desc="Details for an expired X509 certificate"> + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate expired <ph name="DAYS">$2<ex>3</ex></ph> day(s) ago. This may be caused by a misconfiguration or an attacker intercepting your connection. Your computer's clock is currently set to <ph name="CURRENT_TIME">$3<ex>July 18, 2012</ex></ph>. Does that look right? If not, you should correct your system's clock and then refresh this page. + </message> <message name="IDS_CERT_ERROR_EXPIRED_DETAILS_EXTRA_INFO_2" desc="2nd paragraph of extra information for an expired X509 certificate"> For a certificate which has not expired, the issuer of that certificate is responsible for maintaining something called a "revocation list". If a certificate is ever compromised, the issuer can revoke it by adding it to the revocation list, and then this certificate will no longer be trusted by your browser. Revocation status is not required to be maintained for expired certificates, so while this certificate used to be valid for the website you're visiting, at this point it is not possible to determine whether the certificate was compromised and subsequently revoked, or whether it remains secure. As such it is impossible to tell whether you're communicating with the legitimate website, or whether the certificate was compromised and is now in the possession of an attacker with whom you are communicating. </message> @@ -2473,6 +2476,9 @@ Even if you have downloaded files from this website before, the website might ha <message name="IDS_CERT_ERROR_NOT_YET_VALID_TITLE" desc="Title for an X509 certificate that is not yet valid"> The server's security certificate is not yet valid! </message> + <message name="IDS_CERT_ERROR_NOT_YET_VALID_DETAILS" desc="Details for an X509 certificate that is not yet valid"> + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is supposedly from <ph name="DAYS">$2<ex>3</ex></ph> day(s) in the future. This may be caused by a misconfiguration or an attacker intercepting your connection. + </message> <message name="IDS_CERT_ERROR_NOT_YET_VALID_DETAILS_EXTRA_INFO_2" desc="2nd paragraph of extra information for a X509 certificate that is not yet valid"> Certificates have a validity period, much like any identity document (such as a passport) that you may have. The certificate presented to your browser is not yet valid. When a certificate is outside of its validity period, certain information about the status of the certificate (whether it has been revoked and should no longer be trusted) is not required to be maintained. As such, it is not possible to verify that this certificate is trustworthy. You should not proceed. </message> @@ -2508,6 +2514,9 @@ Even if you have downloaded files from this website before, the website might ha <message name="IDS_CERT_ERROR_CONTAINS_ERRORS_TITLE" desc="Title of the error page for an X509 certificate that contains errors"> The server's security certificate has errors! </message> + <message name="IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS" desc="Details of the error page for an X509 certificate that contains errors"> + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate contains errors. This may be caused by a misconfiguration or an attacker intercepting your connection. + </message> <message name="IDS_CERT_ERROR_CONTAINS_ERRORS_EXTRA_INFO_2" desc="2nd paragraph of extra information for a X509 certificate that contains errors"> In this case, the certificate presented to your browser has errors and cannot be understood. This may mean that we cannot understand the identity information within the certificate, or certain other information in the certificate used to secure the connection. You should not proceed. </message> @@ -2519,7 +2528,7 @@ Even if you have downloaded files from this website before, the website might ha Failed to check revocation. </message> <message name="IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DETAILS" desc="Details for being unable to check revocation status of an X509 certificate"> - Unable to check whether the server's certificate was revoked. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate might be revoked. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> <message name="IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DESCRIPTION" desc="Description for being unable to check revocation status of an X509 certificate"> Server's certificate cannot be checked. @@ -2529,7 +2538,7 @@ Even if you have downloaded files from this website before, the website might ha No revocation mechanism found. </message> <message name="IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DETAILS" desc="Details for not finding a revocation mechanism in an X509 certificate"> - No revocation mechanism found in the server's certificate. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate might be revoked. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> <message name="IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DESCRIPTION" desc="Description for not finding a revocation mechanism in an X509 certificate"> No revocation mechanism found. @@ -2591,7 +2600,7 @@ Even if you have downloaded files from this website before, the website might ha The server certificate contains a domain name that shouldn't be there. </message> <message name="IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DETAILS" desc="Details of the error page for a certificate that contains a name outside of its scope"> - You attempted to reach <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>, but the server presented an invalid certificate. The authority who created the certificate is not allowed to speak on behalf of some websites. One of those websites is mentioned in the certificate, even though it shouldn't be. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate might have been issued fraudulently. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> <message name="IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION" desc="Description of the error page for a certificate that contains a name outside of its scope"> Server's certificate violates name constraints. diff --git a/chrome/app/google_chrome_strings.grd b/chrome/app/google_chrome_strings.grd index ead6ef50..4a156a0 100644 --- a/chrome/app/google_chrome_strings.grd +++ b/chrome/app/google_chrome_strings.grd @@ -185,26 +185,21 @@ Chrome supports. --> <message name="IDS_CERT_ERROR_COMMON_NAME_INVALID_EXTRA_INFO_2" desc="2nd paragraph of extra information for an unsafe common name in an X509 certificate"> In this case, the address listed in the certificate does not match the address of the website your browser tried to go to. One possible reason for this is that your communications are being intercepted by an attacker who is presenting a certificate for a different website, which would cause a mismatch. Another possible reason is that the server is set up to return the same certificate for multiple websites, including the one you are attempting to visit, even though that certificate is not valid for all of those websites. Google Chrome can say for sure that you reached <strong><ph name="DOMAIN2">$1<ex>paypal.com</ex></ph></strong>, but cannot verify that that is the same site as <strong><ph name="DOMAIN">$2<ex>www.paypal.com</ex></ph></strong> which you intended to reach. If you proceed, Chrome will not check for any further name mismatches. </message> - <message name="IDS_CERT_ERROR_EXPIRED_DETAILS" desc="Details for an expired X509 certificate"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented an expired certificate. No information is available to indicate whether that certificate has been compromised since its expiration. This means Google Chrome cannot guarantee that you are communicating with <strong><ph name="DOMAIN2">$2<ex>paypal.com</ex></ph></strong> and not an attacker. Your computer's clock is currently set to <ph name="CURRENT_TIME">$3<ex>Monday, July 18th, 2012 12:31PM</ex></ph>. Does that look right? If not, you should correct the error and refresh this page. - </message> - <message name="IDS_CERT_ERROR_NOT_YET_VALID_DETAILS" desc="Details for an X509 certificate that is not yet valid"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented a certificate that is not yet valid. No information is available to indicate whether that certificate can be trusted. Google Chrome cannot reliably guarantee that you are communicating with <strong><ph name="DOMAIN2">$2<ex>paypal.com</ex></ph></strong> and not an attacker. Your computer's clock is currently set to <ph name="CURRENT_TIME">$3<ex>Monday, July 18th, 2012 12:31PM</ex></ph>. Does that look right? If not, you should correct your system's clock and then refresh this page. - </message> <if expr="is_ios"> <message name="IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS" desc="Details for an X509 certificate with an invalid authority"> - You attempted to reach <strong><ph -name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented a certificate issued by an entity that is not trusted by Google Chrome. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is not trusted by Chrome. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> </if> - <if expr="not is_ios"> + <if expr="is_android"> <message name="IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS" desc="Details for an X509 certificate with an invalid authority"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is not trusted by your device's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection. + </message> + </if> + <if expr="not is_ios and not is_android"> + <message name="IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS" desc="Details for an X509 certificate with an invalid authority"> + This server could not prove that it is <ph name="DOMAIN"><strong>$1<ex>paypal.com</ex></strong></ph>; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection. </message> </if> - <message name="IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS" desc="Details of the error page for an X509 certificate that contains errors"> - You attempted to reach <strong><ph name="DOMAIN">$1<ex>paypal.com</ex></ph></strong>, but the certificate that the server presented contains errors. Google Chrome cannot use a certificate with errors and cannot validate the identity of the site that you have attempted to connect to. - </message> <message name="IDS_TASK_MANAGER_TITLE" desc="The title of the Task Manager window"> Task Manager - Google Chrome </message> diff --git a/chrome/browser/ssl/ssl_error_info.cc b/chrome/browser/ssl/ssl_error_info.cc index 71c8fa1..b0e4de5 100644 --- a/chrome/browser/ssl/ssl_error_info.cc +++ b/chrome/browser/ssl/ssl_error_info.cc @@ -5,6 +5,7 @@ #include "chrome/browser/ssl/ssl_error_info.h" #include "base/i18n/time_formatting.h" +#include "base/strings/string_number_conversions.h" #include "base/strings/utf_string_conversions.h" #include "content/public/browser/cert_store.h" #include "grit/chromium_strings.h" @@ -58,8 +59,7 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type, l10n_util::GetStringFUTF16(IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS, UTF8ToUTF16(request_url.host()), net::EscapeForHTML( - UTF8ToUTF16(dns_names[i])), - UTF8ToUTF16(request_url.host())); + UTF8ToUTF16(dns_names[i]))); short_description = l10n_util::GetStringUTF16( IDS_CERT_ERROR_COMMON_NAME_INVALID_DESCRIPTION); extra_info.push_back( @@ -79,8 +79,9 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type, details = l10n_util::GetStringFUTF16( IDS_CERT_ERROR_EXPIRED_DETAILS, UTF8ToUTF16(request_url.host()), - UTF8ToUTF16(request_url.host()), - base::TimeFormatFriendlyDateAndTime(base::Time::Now())); + base::IntToString16( + (base::Time::Now() - cert->valid_expiry()).InDays()), + base::TimeFormatFriendlyDate(base::Time::Now())); short_description = l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DESCRIPTION); extra_info.push_back(l10n_util::GetStringUTF16( @@ -93,8 +94,8 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type, details = l10n_util::GetStringFUTF16( IDS_CERT_ERROR_NOT_YET_VALID_DETAILS, UTF8ToUTF16(request_url.host()), - UTF8ToUTF16(request_url.host()), - base::TimeFormatFriendlyDateAndTime(base::Time::Now())); + base::IntToString16( + (cert->valid_start() - base::Time::Now()).InDays())); short_description = l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DESCRIPTION); extra_info.push_back( @@ -143,8 +144,10 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type, IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DESCRIPTION); break; case CERT_UNABLE_TO_CHECK_REVOCATION: - title = l10n_util::GetStringUTF16( - IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_TITLE); + // TODO(felt): Hasn't this been deprecated? + title = l10n_util::GetStringFUTF16( + IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_TITLE, + UTF8ToUTF16(request_url.host())); details = l10n_util::GetStringUTF16( IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DETAILS); short_description = l10n_util::GetStringUTF16( |