New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 691103 link

Starred by 3 users
Status: Fixed
Owner:
jialiul@chromium.org
Last visit > 30 days ago
Closed: May 2017
Cc:
dvadym@chromium.org
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Log non-whitelisted password-reuses to UMA

Project Member Reported by nparker@chromium.org, Feb 10 2017 
We need some code in components/safe_browsing[db] that can be called by the PasswordReuseDetector on the UI thread to
* Check the main frame URL against the CSD whitelist
* Increment an UMA counter with the results (or maybe if it's not whitelisted -- talk dvadym about existing metrics).

Later we'll connect that to a ping/warn flow. I described some potential code structure near the end of http://go/phishguard-mvp doc.

dvadym -- Can you point to the code that should call this? Thx.

Comment 1 by dvadym@chromium.org, Feb 13 2017 

Here is the logging of other metrics
https://cs.chromium.org/chromium/src/components/password_manager/core/browser/password_reuse_detection_manager.cc?sq=package:chromium&l=60

This is OnReuseFound method that's called, when the reuse is happened.

Ideally it would be to call here Safe Browsing in order to make logging into SafeBrowsing components. This method is called on UI thread, Password Manager doesn't have IO thread runner, so it would be better to call SB on UI thread and then SB will switch to IO thread.

Let me know if you have more questions. We can arrange VC to discuss it.

Comment 2 by jialiul@chromium.org, Feb 14 2017

Status: Started (was: Untriaged)
Got it. I'll expose a function shortly. Something like safe_browsing::PasswordProtectionService::CheckCsdWhitelistAndLogResult(const GURL& main_frame_url) which can be called on UI thread.

Any preference on UMA metric name and type?

Comment 3 by nparker@chromium.org, Feb 14 2017 

How about a function more like ...RecordPasswordReuse(), so we could later extend it to send a ping / show a warning?

For UMA, there is PasswordManager.PasswordReuse.*:
  .NumberOFMatches
  .PasswordFieldDetected
  .PasswordLength
  .TotalPasswords

We could continue there with .Whitelisted [true/false].  Or it could go under SafeBrowsing.*.  We'll want to differentiate these from found-password-field flows.

Comment 4 by jialiul@chromium.org, Feb 14 2017 

how about 2 metrics:
PasswordManager.PasswordReuse.MainFrameUrlWhitelisted [true/false]

And on safe browsing side, we log
SafeBrowsing.PasswordProtection.RequestCancelReason  with enums such as
   -- database_manager_not available
   -- match whitelist
   -- not SBER
   -- off the record
   -- no history
   ...... etc

Comment 5 by nparker@chromium.org, Feb 16 2017 

SGTM.  We should just ensure we can reason about the flow, and can show a series of metrics that reduce in counts as we filter out requests.

Comment 6 by vakh@chromium.org, Feb 24 2017

Labels: SafeBrowsing-Triaged
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 2 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8b7d485807e80a6fd022fe96c474ff97fb75fc03

commit 8b7d485807e80a6fd022fe96c474ff97fb75fc03
Author: jialiul <jialiul@chromium.org>
Date: Thu Mar 02 22:22:06 2017

Call CSD whitelist checking on UI thread and record UMA

This is the first part of CL to log non-whitelisted password-reuses
to UMA. This CL creates a function on UI thread to trigger the
checking of CSD whitelist (actual checking happens on IO thread),
such that password_reuse_detection_manager can call.

BUG= 691103 

Review-Url: https://codereview.chromium.org/2720643003
Cr-Commit-Position: refs/heads/master@{#454405}

[modify] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/chrome/browser/BUILD.gn
[modify] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/chrome/browser/safe_browsing/safe_browsing_service.cc
[modify] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/chrome/browser/safe_browsing/safe_browsing_service.h
[modify] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/components/BUILD.gn
[add] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/components/safe_browsing/password_protection/BUILD.gn
[add] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/components/safe_browsing/password_protection/DEPS
[add] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/components/safe_browsing/password_protection/password_protection_service.cc
[add] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/components/safe_browsing/password_protection/password_protection_service.h
[add] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/components/safe_browsing/password_protection/password_protection_service_unittest.cc
[modify] https://crrev.com/8b7d485807e80a6fd022fe96c474ff97fb75fc03/tools/metrics/histograms/histograms.xml

Comment 9 by jialiul@chromium.org, Mar 7 2017

Labels: Merge-Request-58
Request merge comment #8 into M58.
Not sure if I need to merge comment #7 too.

Comment 10 by jialiul@chromium.org, Mar 7 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows

Comment 11 by jialiul@chromium.org, Mar 7 2017

Status: Fixed (was: Started)
Project Member

Comment 12 by sheriffbot@chromium.org, Mar 7 2017

Labels: -Merge-Request-58 Merge-Review-58 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e1687f47332e8001e48d883c683d810e3c1311b1

commit e1687f47332e8001e48d883c683d810e3c1311b1
Author: jialiul <jialiul@chromium.org>
Date: Thu Mar 09 01:40:15 2017

Revert of wire PasswordProtectionService into PasswordReuseDetectionManager (patchset #4 id:110001 of https://codereview.chromium.org/2734863004/ )

Reason for revert:
This CL causes crashes  crbug.com/699551 

Original issue's description:
> wire PasswordProtectionService into PasswordReuseDetectionManager
>
> Wire PasswordProtectionService into PasswordReuseDetectionManager to
> help log non-whitelisted password-reuses to UMA
>
> BUG= 691103 
>
> Review-Url: https://codereview.chromium.org/2734863004
> Cr-Commit-Position: refs/heads/master@{#455250}
> Committed: https://chromium.googlesource.com/chromium/src/+/3b7571b5b5900a3d4582d62abe23b1a193bbee83

TBR=dvadym@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 691103 

Review-Url: https://codereview.chromium.org/2738073002
Cr-Commit-Position: refs/heads/master@{#455628}

[modify] https://crrev.com/e1687f47332e8001e48d883c683d810e3c1311b1/chrome/browser/password_manager/chrome_password_manager_client.cc
[modify] https://crrev.com/e1687f47332e8001e48d883c683d810e3c1311b1/chrome/browser/password_manager/chrome_password_manager_client.h
[modify] https://crrev.com/e1687f47332e8001e48d883c683d810e3c1311b1/components/password_manager/core/browser/BUILD.gn
[modify] https://crrev.com/e1687f47332e8001e48d883c683d810e3c1311b1/components/password_manager/core/browser/DEPS
[modify] https://crrev.com/e1687f47332e8001e48d883c683d810e3c1311b1/components/password_manager/core/browser/password_reuse_detection_manager.cc
[modify] https://crrev.com/e1687f47332e8001e48d883c683d810e3c1311b1/components/password_manager/core/browser/password_reuse_detection_manager.h

Comment 14 by jialiul@chromium.org, Mar 9 2017

Labels: -Merge-Review-58
CL reverted. removing merge review request label.

Comment 15 by jialiul@chromium.org, Mar 9 2017

Status: Started (was: Fixed)
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1d1cff37eca89741800bed9e0603bc20a79e186d

commit 1d1cff37eca89741800bed9e0603bc20a79e186d
Author: jialiul <jialiul@chromium.org>
Date: Thu Mar 09 21:09:52 2017

wire PasswordProtectionService into PasswordReuseDetectionManager

Wire PasswordProtectionService into PasswordReuseDetectionManager to
help log non-whitelisted password-reuses to UMA

BUG= 691103 

Review-Url: https://codereview.chromium.org/2734863004
Cr-Original-Commit-Position: refs/heads/master@{#455250}
Committed: https://chromium.googlesource.com/chromium/src/+/3b7571b5b5900a3d4582d62abe23b1a193bbee83
Review-Url: https://codereview.chromium.org/2734863004
Cr-Commit-Position: refs/heads/master@{#455862}

[modify] https://crrev.com/1d1cff37eca89741800bed9e0603bc20a79e186d/chrome/browser/password_manager/chrome_password_manager_client.cc
[modify] https://crrev.com/1d1cff37eca89741800bed9e0603bc20a79e186d/chrome/browser/password_manager/chrome_password_manager_client.h
[modify] https://crrev.com/1d1cff37eca89741800bed9e0603bc20a79e186d/chrome/browser/safe_browsing/safe_browsing_service.cc
[modify] https://crrev.com/1d1cff37eca89741800bed9e0603bc20a79e186d/components/password_manager/core/browser/BUILD.gn
[modify] https://crrev.com/1d1cff37eca89741800bed9e0603bc20a79e186d/components/password_manager/core/browser/DEPS
[modify] https://crrev.com/1d1cff37eca89741800bed9e0603bc20a79e186d/components/password_manager/core/browser/password_reuse_detection_manager.cc
[modify] https://crrev.com/1d1cff37eca89741800bed9e0603bc20a79e186d/components/password_manager/core/browser/password_reuse_detection_manager.h

Comment 17 by jialiul@chromium.org, Mar 9 2017

Labels: -Hotlist-Merge-Review

Comment 18 by jialiul@chromium.org, May 5 2017

Status: Fixed (was: Started)

Sign in to add a comment