Closed
Bug 1088255
Opened 10 years ago
Closed 9 years ago
Collect telemetry on CAs that appear in valid cert chains
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: rbarnes, Unassigned)
Details
Attachments
(1 file)
4.37 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
In support of our management of the CA program, it would be useful to have some idea of how often users encounter the various CAs in practice, as well as how often a locally-installed CA is used. Whenever the browser successfully validates an SSL server certificate, we should collect a Telemetry histogram with one bin for each CA in the root program, plus a bin for "unknown" that would collect locally-installed TAs or exceptions. (That is, the same structure as RootCertificateTelemetryUtils.h) It might be desirable in the future to distinguish among local issuers (from the exception dialogue vs. properly installed), but that doesn't seem like an immediate requirement.
Reporter | ||
Comment 1•10 years ago
|
||
Keeler: Does this look like a sensible approach? Mainly concerned about where the telemetry is collected. I want to count once for each SSL server verification. https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=a0a19ac50dbb
Attachment #8511324 -
Flags: feedback?(dkeeler)
Comment on attachment 8511324 [details] [diff] [review] bug-1088255.patch Review of attachment 8511324 [details] [diff] [review]: ----------------------------------------------------------------- LGTM. ::: security/manager/ssl/src/SSLServerCertVerification.cpp @@ +961,5 @@ > +// Gathers telemetry on which CA is the root of a given cert chain. > +// If the root is a built-in root, then the telemetry makes a count > +// by root. Roots that are not built-in are counted in one bin. > +void > +GatherCATelemetry(const ScopedCERTCertList& certList) maybe a more descriptive name would be good: "GatherSuccessfulValidationTelemetry" or something @@ +1021,5 @@ > } > > if (rv == SECSuccess) { > GatherBaselineRequirementsTelemetry(certList); > + GatherCATelemetry(certList); This seems like a good place to do this, yes.
Attachment #8511324 -
Flags: feedback?(dkeeler) → review+
Reporter | ||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6ac497a25cd8
https://hg.mozilla.org/mozilla-central/rev/6ac497a25cd8
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•