Add checkbox for reporting invalid TLS/SSL cert chains

chrome/browser/ssl/ssl_blocking_page.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/ssl_blocking_page.h"
 
 #include "base/build_time.h"
 #include "base/command_line.h"
 #include "base/i18n/rtl.h"
 #include "base/i18n/time_formatting.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
+#include "base/prefs/pref_service.h"
 #include "base/process/launch.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/renderer_preferences_util.h"
 #include "chrome/browser/ssl/ssl_error_classification.h"
 #include "chrome/browser/ssl/ssl_error_info.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/pref_names.h"
 #include "chrome/grit/chromium_strings.h"
 #include "chrome/grit/generated_resources.h"
 #include "components/google/core/browser/google_util.h"
 #include "content/public/browser/cert_store.h"
 #include "content/public/browser/interstitial_page.h"
 #include "content/public/browser/navigation_controller.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_types.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/renderer_preferences.h"
 #include "content/public/common/ssl_status.h"
 #include "grit/browser_resources.h"
 #include "net/base/hash_value.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
+#include "net/url_request/fraudulent_certificate_reporter.h"
+#include "net/url_request/url_request_context.h"
+#include "net/url_request/url_request_context_getter.h"
 #include "ui/base/l10n/l10n_util.h"
 
 #if defined(OS_WIN)
 #include "base/base_paths_win.h"
 #include "base/path_service.h"
 #include "base/strings/string16.h"
 #include "base/win/windows_version.h"
 #endif
 
 #if defined(OS_ANDROID)
@@ skipping 160 matching lines @@
     &SSLBlockingPage::kTypeForTesting;
 
 // Note that we always create a navigation entry with SSL errors.
 // No error happening loading a sub-resource triggers an interstitial so far.
 SSLBlockingPage::SSLBlockingPage(content::WebContents* web_contents,
                                  int cert_error,
                                  const net::SSLInfo& ssl_info,
                                  const GURL& request_url,
                                  int options_mask,
                                  const base::Callback<void(bool)>& callback)
-    : SecurityInterstitialPage(web_contents, request_url),
+    : SecurityInterstitialPageWithExtendedReporting(web_contents, request_url),
       callback_(callback),
       cert_error_(cert_error),
       ssl_info_(ssl_info),
       overridable_(IsOptionsOverridable(options_mask)),
       danger_overridable_(true),
       strict_enforcement_((options_mask & STRICT_ENFORCEMENT) != 0),
       expired_but_previously_allowed_(
           (options_mask & EXPIRED_BUT_PREVIOUSLY_ALLOWED) != 0) {
   interstitial_reason_ =
       IsErrorDueToBadClock(base::Time::NowFromSystemTime(), cert_error_) ?
@@ skipping 186 matching lines @@
   load_time_data->SetString(
       "issuer", ssl_info_.cert->issuer().GetDisplayName());
   load_time_data->SetString(
       "expirationDate",
       base::TimeFormatShortDate(ssl_info_.cert->valid_expiry()));
   load_time_data->SetString(
       "currentDate", base::TimeFormatShortDate(now));
   std::vector<std::string> encoded_chain;
   ssl_info_.cert->GetPEMEncodedChain(&encoded_chain);
   load_time_data->SetString("pem", JoinString(encoded_chain, std::string()));
+
+  PopulateExtendedReportingOption(load_time_data);
 }
 
 void SSLBlockingPage::OverrideEntry(NavigationEntry* entry) {
   int cert_id = content::CertStore::GetInstance()->StoreCert(
       ssl_info_.cert.get(), web_contents()->GetRenderProcessHost()->GetID());
   DCHECK(cert_id);
 
   entry->GetSSL().security_style =
       content::SECURITY_STYLE_AUTHENTICATION_BROKEN;
   entry->GetSSL().cert_id = cert_id;
@@ skipping 12 matching lines @@
     case CMD_DONT_PROCEED: {
       interstitial_page()->DontProceed();
       break;
     }
     case CMD_PROCEED: {
       if (danger_overridable_) {
         interstitial_page()->Proceed();
       }
       break;
     }
+    case CMD_DO_REPORT: {
+      SetReportingPreference(true);
+      break;
+    }
+    case CMD_DONT_REPORT: {
+      SetReportingPreference(false);
+      break;
+    }
     case CMD_MORE: {
       metrics_helper_->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::SHOW_ADVANCED);
       break;
     }
     case CMD_RELOAD: {
       metrics_helper_->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::RELOAD);
       // The interstitial can't refresh itself.
       web_contents()->GetController().Reload(true);
@@ skipping 24 matching lines @@
       content::RendererPreferences* prefs) {
   Profile* profile = Profile::FromBrowserContext(
       web_contents()->GetBrowserContext());
   renderer_preferences_util::UpdateFromSystemSettings(
       prefs, profile, web_contents());
 }
 
 void SSLBlockingPage::OnProceed() {
   metrics_helper_->RecordUserDecision(
       SecurityInterstitialMetricsHelper::PROCEED);
+
+  // Finish collection information about invalid certificates, if the
+  // user opted in to.
+  FinishCertCollection();
+
   RecordSSLExpirationPageEventState(
       expired_but_previously_allowed_, true, overridable_);
   // Accepting the certificate resumes the loading of the page.
   NotifyAllowCertificate();
 }
 
 void SSLBlockingPage::OnDontProceed() {
   metrics_helper_->RecordUserDecision(
       SecurityInterstitialMetricsHelper::DONT_PROCEED);
+
+  // Finish collection information about invalid certificates, if the
+  // user opted in to.
+  FinishCertCollection();
+
   RecordSSLExpirationPageEventState(
       expired_but_previously_allowed_, false, overridable_);
   NotifyDenyCertificate();
 }
 
+void SSLBlockingPage::FinishCertCollection() {
+  const bool enabled =
+      IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled);
+  UMA_HISTOGRAM_BOOLEAN("SB2.ExtendedReportingIsEnabled", enabled);
+
+  if (enabled) {
+    net::URLRequestContext* request_context = web_contents()
+                                                  ->GetBrowserContext()
+                                                  ->GetRequestContext()
+                                                  ->GetURLRequestContext();
+    net::FraudulentCertificateReporter* reporter =
+        request_context->fraudulent_certificate_reporter();
+    reporter->SendInvalidChainReport(request_url().host(), ssl_info_);
+  }
+}
+
 void SSLBlockingPage::NotifyDenyCertificate() {
   // It's possible that callback_ may not exist if the user clicks "Proceed"
   // followed by pressing the back button before the interstitial is hidden.
   // In that case the certificate will still be treated as allowed.
   if (callback_.is_null())
     return;
 
   callback_.Run(false);
   callback_.Reset();
 }
@@ skipping 27 matching lines @@
     event_name.append(kEventNotOverridable);
   event_name.append(net::ErrorToString(cert_error_));
   return event_name;
 }
 
 // static
 bool SSLBlockingPage::IsOptionsOverridable(int options_mask) {
   return (options_mask & SSLBlockingPage::OVERRIDABLE) &&
          !(options_mask & SSLBlockingPage::STRICT_ENFORCEMENT);
 }
+
+void SSLBlockingPage::PopulateExtendedReportingOption(
+    base::DictionaryValue* load_time_data) {

[felt, 2015/02/19 00:32:32]

Should we exclude Lucas's clock interstitials, both from showing a checkbox and
from uploading?

[estark, 2015/02/19 02:32:09]

Done.

[estark, 2015/02/19 02:37:30]

On second thought, I do think at some point it could be interesting to collect
data from the clock interstitials... for example, I wonder if users are ever
getting "red herring" clock interstitials, where they received a bad cert but
saw the clock interstitial because their clock happened to be off. Still, I
think it's fine to not collect data from clock interstitials for now to avoid
overwhelming our data set with them, and we can always turn it on later.

[felt, 2015/02/20 19:20:34]

That's an interesting point, I hadn't thought of that. The weird thing though is
that the checkbox text might not make sense on the clock interstitial. Would we
want to upload the clock interstitial if the user is already opted in, but not
show the checkbox? The downside of that is that it might skew the %ages.

[estark, 2015/02/21 06:53:04]

Hmm, so I can think of two or three ways that we could possibly address this:
1. Ideally, maybe it doesn't even make sense to show the clock interstitial at
all if the certificate would fail to validate for some other reason. Or maybe we
should be showing some hybrid interstitial that says both "you should fix your
clock" and "this website is broken." But this sounds kind of hard to implement.
2. Maybe we could use special wording on the checkbox label for the clock
interstitial so that it makes more sense, though I'm not coming up with anything
great at the moment.
3. We briefly discussed today the possibility of recording the causes of the
validation failures in addition to the chains themselves (wrong name, expired
cert, pinning violation, etc.). If we do that, we could go with your idea
(report the clock interstitial if the user is already opted in) and report
inaccurate client clock as the reason for the validation failure. That could
give us some potentially useful data (e.g. reports of red herring clock
interstitials) but would allow us to easily exclude the clock interstitials when
calculating percentages.

[felt, 2015/02/24 01:57:52]

My suggestion to proceed here: include the clock interstitial for now, but take
a screenshot of the checkbox on the clock interstitial and check with Alex
Ainslie (ainslie@) about whether it looks OK.

[estark, 2015/02/24 18:47:08]

Done -- cc'ed you on the email to ainslie.

+  // Only show the checkbox if not off-the-record and if the
+  // command-line option is set.
+  const bool show = !web_contents()->GetBrowserContext()->IsOffTheRecord() &&
+                    base::CommandLine::ForCurrentProcess()->HasSwitch(
+                        switches::kEnableInvalidCertCollection);
+
+  load_time_data->SetBoolean(interstitials::kDisplayCheckBox, show);
+  if (!show)
+    return;
+
+  load_time_data->SetBoolean(
+      interstitials::kBoxChecked,
+      IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled));
+
+  const std::string privacy_link = base::StringPrintf(
+      interstitials::kPrivacyLinkHtml,
+      l10n_util::GetStringUTF8(IDS_SAFE_BROWSING_PRIVACY_POLICY_PAGE).c_str());
+
+  load_time_data->SetString(
+      "optInLink",
+      l10n_util::GetStringFUTF16(IDS_SAFE_BROWSING_MALWARE_REPORTING_AGREE,
+                                 base::UTF8ToUTF16(privacy_link)));
+}