New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 633732 link

Starred by 2 users
Status: Fixed
Owner:
est...@chromium.org
Closed: Oct 2016
Cc:
davidcad...@gmail.com
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

Add UMA metric to count Must-Staple certificates chaining to private roots

Project Member Reported by est...@chromium.org, Aug 2 2016 
Expect-Staple currently sends reports on both public and private roots. In the latter case, the report might not be very useful, as it doesn't inform the site operator about a problem that they need to fix. (We might, in fact, want to disable reporting on private roots.) What we are interested in is what MITM proxies tend to do with the TLS feature extension, i.e. whether they copy it blindly into the generated MITM certificate. To get a rough idea, we can add an UMA counter for whenever we see a Must-Staple certificate that chains to a private root. This will measure the prevalence of MITM proxies that copy the TLS feature extension and private PKIs using Must-Staple.
Project Member

Comment 1 by bugdroid1@chromium.org, Oct 22 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2e2e27cf8745fc190864cf182d5467363d59fb13

commit 2e2e27cf8745fc190864cf182d5467363d59fb13
Author: estark <estark@chromium.org>
Date: Sat Oct 22 04:32:36 2016

Record UMA metrics for Must-Staple certificates on private roots

We'd like to get an idea of what MITM proxies tend to do with the TLS
Feature Extension (colloquially known as Must-Staple). If MITM proxies
blindly copy the extension into generated certificates, then deploying
Must-Staple will cause a lot of breakage, due to MITM proxies generating
Must-Staple certificates but not stapling OCSP responses.

This CL adds an UMA metric for the presence of the TLS Feature Extension
in certificates that chain to private roots, as a baby step in this
investigation. (Note that this conflates misbehaving MITM proxies with
private PKIs that are using Must-Staple, so it's only a starting point
for an investigation.)

A new asn1::HasTLSFeatureExtension() function is used to record this
histogram.

BUG= 633732 

Review-Url: https://chromiumcodereview.appspot.com/2436233002
Cr-Commit-Position: refs/heads/master@{#426971}

[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/cert/asn1_util.cc
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/cert/asn1_util.h
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/cert/cert_verify_proc_unittest.cc
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/cert/x509_certificate_unittest.cc
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/data/ssl/certificates/README
[add] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/data/ssl/certificates/tls_feature_extension.pem
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/data/ssl/scripts/ee.cnf
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/data/ssl/scripts/generate-test-certs.sh
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/net/net.gypi
[modify] https://crrev.com/2e2e27cf8745fc190864cf182d5467363d59fb13/tools/metrics/histograms/histograms.xml

Comment 2 by est...@chromium.org, Oct 22 2016

Labels: M-56
Status: Fixed (was: Assigned)

Sign in to add a comment