Calculate severity score for date_invalid error

chrome/browser/ssl/ssl_error_classification.cc

+// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/ssl_error_classification.h"
+
+#include "base/build_time.h"
+#include "base/metrics/field_trial.h"
+#include "base/metrics/histogram.h"
+#include "base/time/time.h"
+#include "chrome/browser/browser_process.h"
+#include "components/network_time/network_time_tracker.h"
+#include "net/cert/x509_certificate.h"
+
+using base::Time;
+using base::TimeTicks;
+using base::TimeDelta;
+
+namespace {
+
+// Events for UMA. Do not reorder or change!
+enum SSLInterstitialCause {
+  CLOCK_PAST,
+  CLOCK_FUTURE,
+  UNUSED_INTERSTITIAL_CAUSE_ENTRY,
+};
+
+void RecordSSLInterstitialCause(bool overridable, SSLInterstitialCause event) {
+  if (overridable) {
+    UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.cause.overridable", event,
+                              UNUSED_INTERSTITIAL_CAUSE_ENTRY);
+  } else {
+    UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.cause.nonoverridable", event,
+                              UNUSED_INTERSTITIAL_CAUSE_ENTRY);
+  }
+}
+
+} // namespace
+
+SSLErrorClassification::SSLErrorClassification(
+    base::Time current_time,
+    const net::X509Certificate& cert)
+  : current_time_(current_time),
+    cert_(cert) { }
+
+SSLErrorClassification::~SSLErrorClassification() { }
+
+float SSLErrorClassification::InvalidDateSeverityScore() const{
+  // Client-side characterisitics. Check whether the system's clock is wrong or
+  // not and whether the user has encountered this error before or not.
+  float severity_date_score = 0.0;
+
+  static const float kClientWeightage = 0.5;
+  static const float kSystemClockWeightage = 0.75;
+  static const float kSystemClockWrongWeightage = 1;
+  static const float kSystemClockRightWeightage = 0.1;
+
+  static const float kServerWeightage = 0.5;
+  static const float kCertificateExpiredWeightage = 0.3;
+  static const float kNotYetValidWeightage = 0.2;
+
+  if (IsUserClockInThePast(current_time_)  ||
+      IsUserClockInTheFuture(current_time_)) {
+    severity_date_score = kClientWeightage * kSystemClockWeightage *
+        kSystemClockWrongWeightage;
+  } else {
+    severity_date_score = kClientWeightage * kSystemClockWeightage *
+        kSystemClockRightWeightage;
+  }
+  // TODO(radhikabhar): Check website settings.
+
+  // Server-side characteristics. Check whether the certificate has expired or
+  // is not yet valid. If the certificate has expired then factor the time which
+  // has passed since expiry.
+  if (cert_.HasExpired()) {
+    severity_date_score += kServerWeightage * kCertificateExpiredWeightage *
+        CalculateScoreTimePassedSinceExpiry();
+  }
+  if (current_time_ < cert_.valid_start())
+    severity_date_score += kServerWeightage * kNotYetValidWeightage;
+  return severity_date_score;
+}
+
+base::TimeDelta SSLErrorClassification::TimePassedSinceExpiry() const{
+  base::TimeDelta delta = current_time_ - cert_.valid_expiry();
+  return delta;
+}
+
+float SSLErrorClassification::CalculateScoreTimePassedSinceExpiry() const{
+  base::TimeDelta delta = TimePassedSinceExpiry();
+  int64 time_passed = delta.InDays();
+  const int64 kHighThreshold = 7;
+  const int64 kLowThreshold = 4;
+  static const float kHighThresholdWeightage = 0.4;
+  static const float kMediumThresholdWeightage = 0.3;
+  static const float kLowThresholdWeightage = 0.2;
+  if (time_passed >= kHighThreshold)
+    return kHighThresholdWeightage;
+  else if (time_passed >= kLowThreshold)
+    return kMediumThresholdWeightage;
+  else
+    return kLowThresholdWeightage;
+}
+
+bool SSLErrorClassification::IsUserClockInThePast(base::Time time_now) {
+  base::Time build_time = base::GetBuildTime();
+  if (time_now < build_time)

[felt, 2014/07/11 14:12:48]

this code used to add a little buffer (2 days), in case of time zone changes or
something else that made the time just a little wonky

[radhikabhar, 2014/07/11 16:34:46]

Done.

+    return true;
+  return false;
+}
+
+bool SSLErrorClassification::IsUserClockInTheFuture(base::Time time_now) {

[felt, 2014/07/11 14:12:48]

In the .h file, you should probably clarify that this tells you **either** if
the clock is in the future or if someone is using a super old version of chrome
(a year old).

[radhikabhar, 2014/07/11 16:34:46]

Done.

+  base::Time build_time = base::GetBuildTime();
+  if (time_now > build_time + base::TimeDelta::FromDays(365))
+    return true;
+  return false;
+}
+
+void SSLErrorClassification::RecordUMAStatistics(bool overridable) {
+  if (IsUserClockInThePast(current_time_))
+    RecordSSLInterstitialCause(overridable, CLOCK_PAST);
+  if (IsUserClockInTheFuture(current_time_))
+    RecordSSLInterstitialCause(overridable, CLOCK_FUTURE);
+}
+