Closed Bug 1088255 Opened 10 years ago Closed 9 years ago

Collect telemetry on CAs that appear in valid cert chains

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla36

People

(Reporter: rbarnes, Unassigned)

Details

Attachments

(1 file)

In support of our management of the CA program, it would be useful to have some idea of how often users encounter the various CAs in practice, as well as how often a locally-installed CA is used.  

Whenever the browser successfully validates an SSL server certificate, we should collect a Telemetry histogram with one bin for each CA in the root program, plus a bin for "unknown" that would collect locally-installed TAs or exceptions.  (That is, the same structure as RootCertificateTelemetryUtils.h)  

It might be desirable in the future to distinguish among local issuers (from the exception dialogue vs. properly installed), but that doesn't seem like an immediate requirement.
Keeler: Does this look like a sensible approach?  Mainly concerned about where the telemetry is collected.  I want to count once for each SSL server verification.

https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=a0a19ac50dbb
Attachment #8511324 - Flags: feedback?(dkeeler)
Comment on attachment 8511324 [details] [diff] [review]
bug-1088255.patch

Review of attachment 8511324 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

::: security/manager/ssl/src/SSLServerCertVerification.cpp
@@ +961,5 @@
> +// Gathers telemetry on which CA is the root of a given cert chain.
> +// If the root is a built-in root, then the telemetry makes a count
> +// by root.  Roots that are not built-in are counted in one bin.
> +void
> +GatherCATelemetry(const ScopedCERTCertList& certList)

maybe a more descriptive name would be good: "GatherSuccessfulValidationTelemetry" or something

@@ +1021,5 @@
>    }
>  
>    if (rv == SECSuccess) {
>      GatherBaselineRequirementsTelemetry(certList);
> +    GatherCATelemetry(certList);

This seems like a good place to do this, yes.
Attachment #8511324 - Flags: feedback?(dkeeler) → review+
https://hg.mozilla.org/mozilla-central/rev/6ac497a25cd8
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.