Add a flag to certificate reports to indicate if the machine is in an enterprise setting |
||||
Issue descriptionCert errors encountered by machines in enterprise environments might be of different nature than non-enterprise machines. A boolean flag in reports could tell us how they actually differ.
,
Jul 13 2016
Can you indicate what you might mean by "enterprise setting"? :)
,
Jul 13 2016
I guess that would be base::win::IsEnrolledToDomain and its equivalents on other platforms.
,
Jul 13 2016
It's the "equivalents on other platforms" that I was wondering about :) As I see it, one possibility is looking if the device is on a domain, but that doesn't really provide insight for !Win. You could look at Android to see if they have an MDM (I believe), but that also doesn't really have equivalents on other platforms. I could see the argument going that you could look to see if enterprise policies are applied (which, AIUI, on Win is only possible if IsEnrolledToDomain), which at least has a consistent definition across platforms, but not all enterprise-managed devices are going to use Chrome enterprise policies. It could be that we only really care about Windows, and that's reasonable, since Windows Enterprise users are more likely to have windows update/authroot updates blocked (in favour of being managed by WSUS and authroot redirect URLs), both of which would/could cause trust store issues, but it sounded like this was meant for cross-platform (or at least, lacks a bug label), so I wasn't sure how it was being imagined to be scoped :) (And it's also possible this hasn't been noodled about yet and was just a tracking bug, in which case, hopefully the above remarks spark further noodling about possibilities) :)
,
Jul 13 2016
> It's the "equivalents on other platforms" that I was wondering about :) Okay, I was hoping the smarter collective somehow figured that out already :) If that's not the case, an enterprise policy being applied was my next heuristic. Maybe these could be recorded as separate bits (even though the policy bit always implies the domain enrolled bit on Windows). ChromeOS also seems to have an existing IsEnterpriseManaged API. This is just a tracking bug and hasn't been scoped fully. Any additional insight we can get into the incoming reports would be valuable in terms of whether they are related to enterprise policies. And it looks like SafeBrowsing reports already collect isEnrolledToDomain bit for Windows, so maybe we could also start with adding that bit for now?
,
Jul 13 2016
Oh, for sure, I think this is totally good and wasn't trying to derail it, just that the "in an enterprise setting" has been tricky to define. I totally thing collecting Windows domain enrollment is probably the most valuable bit, across all the platforms. (Second-order I would say the NSS version being used and libraries loaded)
,
Jul 13 2016
I didn't mean to imply you were derailing it :) I was just assuming there was a magical bit that across all platforms, but it's good to know that it doesn't exist yet. We might need a separate bug for NSS version and the libraries loaded though, as we'll first need to figure out the privacy implications of doing that.
,
Jun 30 2017
We probably want to do this with Windows domain enrollment as a starter.
,
Jul 7 2017
I'm going to go ahead and start this for the Windows setting right now. I'll see what additional heuristics I can figure out after that.
,
Jul 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1f6b0b9fbab313c9fd6a509d0662a1a8199e8983 commit 1f6b0b9fbab313c9fd6a509d0662a1a8199e8983 Author: Sasha Perigo <sperigo@chromium.org> Date: Fri Jul 14 17:51:50 2017 Add a IsEnterpriseManaged flag to our cert reports which is True if either the Windows or ChromeOS IsEnterpriseManaged() flags are set. As of yet, we don't have similar heuristics for getting this info from other operating systems. Bug: 600840 Change-Id: I9c319d4c24ab74058b84b47e17c1d73b1cd28908 Reviewed-on: https://chromium-review.googlesource.com/565176 Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Reviewed-by: Emily Stark <estark@chromium.org> Commit-Queue: Sasha Perigo <sperigo@chromium.org> Cr-Commit-Position: refs/heads/master@{#486800} [modify] https://crrev.com/1f6b0b9fbab313c9fd6a509d0662a1a8199e8983/chrome/browser/ssl/cert_report_helper.cc [modify] https://crrev.com/1f6b0b9fbab313c9fd6a509d0662a1a8199e8983/components/certificate_reporting/cert_logger.proto [modify] https://crrev.com/1f6b0b9fbab313c9fd6a509d0662a1a8199e8983/components/certificate_reporting/error_report.cc [modify] https://crrev.com/1f6b0b9fbab313c9fd6a509d0662a1a8199e8983/components/certificate_reporting/error_report.h [modify] https://crrev.com/1f6b0b9fbab313c9fd6a509d0662a1a8199e8983/components/certificate_reporting/error_report_unittest.cc
,
Jul 14 2017
I'm going to mark this fixed for the time being. CL #565176 adds an is_enterprise_managed flag that looks at the IsEnterpriseManaged flags available on Windows and ChromeOS. We've yet to determine heuristics to for other OS, but this CL does cover the majority of users and gives us a jumping off point to use in debugging with the logs. |
||||
►
Sign in to add a comment |
||||
Comment 1 by cbiesin...@chromium.org
, Jul 13 2016