Calculate severity score for date_invalid error

BUG=390346

Review URL: https://codereview.chromium.org/376663002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282878 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/ssl/ssl_blocking_page.cc

@@ -20,6 +20,7 @@
 #include "chrome/browser/history/history_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/renderer_preferences_util.h"
+#include "chrome/browser/ssl/ssl_error_classification.h"
 #include "chrome/browser/ssl/ssl_error_info.h"
 #include "chrome/common/chrome_switches.h"
 #include "content/public/browser/cert_store.h"
@@ -215,45 +216,6 @@ void RecordSSLBlockingPageDetailedStats(
   }
 }
 
-// Events for UMA. Do not reorder or change!
-enum SSLInterstitialCause {
-  CLOCK_PAST,
-  CLOCK_FUTURE,
-  UNUSED_INTERSTITIAL_CAUSE_ENTRY,
-};
-
-void RecordSSLInterstitialCause(bool overridable, SSLInterstitialCause event) {
-  if (overridable) {
-    UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.cause.overridable",
-                              event,
-                              UNUSED_INTERSTITIAL_CAUSE_ENTRY);
-  } else {
-    UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.cause.nonoverridable",
-                              event,
-                              UNUSED_INTERSTITIAL_CAUSE_ENTRY);
-  }
-}
-
-// The cause of most clock errors (CMOS battery causing clock reset) will
-// fall backwards, not forwards. IsErrorProbablyCausedByClock therefore only
-// returns true for clocks set early, and histograms clocks set far into the
-// future to see if there are more future-clocks than expected.
-bool IsErrorProbablyCausedByClock(bool overridable, int cert_info) {
-  if (SSLErrorInfo::NetErrorToErrorType(cert_info) !=
-      SSLErrorInfo::CERT_DATE_INVALID) {
-    return false;
-  }
-  const base::Time current_time = base::Time::NowFromSystemTime();
-  const base::Time build_time = base::GetBuildTime();
-  if (current_time < build_time - base::TimeDelta::FromDays(2)) {
-    RecordSSLInterstitialCause(overridable, CLOCK_PAST);
-    return true;
-  }
-  if (current_time > build_time + base::TimeDelta::FromDays(365))
-    RecordSSLInterstitialCause(overridable, CLOCK_FUTURE);
-  return false;
-}
-
 }  // namespace
 
 // Note that we always create a navigation entry with SSL errors.
@@ -300,6 +262,11 @@ SSLBlockingPage::SSLBlockingPage(
           &request_tracker_);
     }
   }
+  if (SSLErrorInfo::NetErrorToErrorType(cert_error_) ==
+      SSLErrorInfo::CERT_DATE_INVALID) {
+    SSLErrorClassification::RecordUMAStatistics(overridable_ &&
+                                                !strict_enforcement_);
+  }
 
 #if defined(ENABLE_CAPTIVE_PORTAL_DETECTION)
   CaptivePortalService* captive_portal_service =
@@ -524,8 +491,10 @@ std::string SSLBlockingPage::GetHTMLContentsV2() {
       "tabTitle", l10n_util::GetStringUTF16(IDS_SSL_V2_TITLE));
   load_time_data.SetString(
       "heading", l10n_util::GetStringUTF16(IDS_SSL_V2_HEADING));
-  if (IsErrorProbablyCausedByClock(
-          overridable_ && !strict_enforcement_, cert_error_)) {
+  if ((SSLErrorClassification::IsUserClockInThePast(
+      base::Time::NowFromSystemTime()))
+      && (SSLErrorInfo::NetErrorToErrorType(cert_error_) ==
+          SSLErrorInfo::CERT_DATE_INVALID)) {
     load_time_data.SetString("primaryParagraph",
                              l10n_util::GetStringFUTF16(
                                  IDS_SSL_CLOCK_ERROR,

chrome/browser/ssl/ssl_error_classification.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/ssl_error_classification.h"
+
+#include "base/build_time.h"
+#include "base/metrics/field_trial.h"
+#include "base/metrics/histogram.h"
+#include "base/time/time.h"
+#include "chrome/browser/browser_process.h"
+#include "components/network_time/network_time_tracker.h"
+#include "net/cert/x509_certificate.h"
+
+using base::Time;
+using base::TimeTicks;
+using base::TimeDelta;
+
+namespace {
+
+// Events for UMA. Do not reorder or change!
+enum SSLInterstitialCause {
+  CLOCK_PAST,
+  CLOCK_FUTURE,
+  UNUSED_INTERSTITIAL_CAUSE_ENTRY,
+};
+
+void RecordSSLInterstitialCause(bool overridable, SSLInterstitialCause event) {
+  if (overridable) {
+    UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.cause.overridable", event,
+                              UNUSED_INTERSTITIAL_CAUSE_ENTRY);
+  } else {
+    UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.cause.nonoverridable", event,
+                              UNUSED_INTERSTITIAL_CAUSE_ENTRY);
+  }
+}
+
+} // namespace
+
+SSLErrorClassification::SSLErrorClassification(
+    base::Time current_time,
+    const net::X509Certificate& cert)
+  : current_time_(current_time),
+    cert_(cert) { }
+
+SSLErrorClassification::~SSLErrorClassification() { }
+
+float SSLErrorClassification::InvalidDateSeverityScore() const {
+  // Client-side characterisitics. Check whether the system's clock is wrong or
+  // not and whether the user has encountered this error before or not.
+  float severity_date_score = 0.0f;
+
+  static const float kClientWeight = 0.5f;
+  static const float kSystemClockWeight = 0.75f;
+  static const float kSystemClockWrongWeight = 0.1f;
+  static const float kSystemClockRightWeight = 1.0f;
+
+  static const float kServerWeight = 0.5f;
+  static const float kCertificateExpiredWeight = 0.3f;
+  static const float kNotYetValidWeight = 0.2f;
+
+  if (IsUserClockInThePast(current_time_)  ||
+      IsUserClockInTheFuture(current_time_)) {
+    severity_date_score = kClientWeight * kSystemClockWeight *
+        kSystemClockWrongWeight;
+  } else {
+    severity_date_score = kClientWeight * kSystemClockWeight *
+        kSystemClockRightWeight;
+  }
+  // TODO(radhikabhar): (crbug.com/393262) Check website settings.
+
+  // Server-side characteristics. Check whether the certificate has expired or
+  // is not yet valid. If the certificate has expired then factor the time which
+  // has passed since expiry.
+  if (cert_.HasExpired()) {
+    severity_date_score += kServerWeight * kCertificateExpiredWeight *
+        CalculateScoreTimePassedSinceExpiry();
+  }
+  if (current_time_ < cert_.valid_start())
+    severity_date_score += kServerWeight * kNotYetValidWeight;
+  return severity_date_score;
+}
+
+base::TimeDelta SSLErrorClassification::TimePassedSinceExpiry() const {
+  base::TimeDelta delta = current_time_ - cert_.valid_expiry();
+  return delta;
+}
+
+float SSLErrorClassification::CalculateScoreTimePassedSinceExpiry() const {
+  base::TimeDelta delta = TimePassedSinceExpiry();
+  int64 time_passed = delta.InDays();
+  const int64 kHighThreshold = 7;
+  const int64 kLowThreshold = 4;
+  static const float kHighThresholdWeight = 0.4f;
+  static const float kMediumThresholdWeight = 0.3f;
+  static const float kLowThresholdWeight = 0.2f;
+  if (time_passed >= kHighThreshold)
+    return kHighThresholdWeight;
+  else if (time_passed >= kLowThreshold)
+    return kMediumThresholdWeight;
+  else
+    return kLowThresholdWeight;
+}
+
+bool SSLErrorClassification::IsUserClockInThePast(base::Time time_now) {
+  base::Time build_time = base::GetBuildTime();
+  if (time_now < build_time - base::TimeDelta::FromDays(2))
+    return true;
+  return false;
+}
+
+bool SSLErrorClassification::IsUserClockInTheFuture(base::Time time_now) {
+  base::Time build_time = base::GetBuildTime();
+  if (time_now > build_time + base::TimeDelta::FromDays(365))
+    return true;
+  return false;
+}
+
+void SSLErrorClassification::RecordUMAStatistics(bool overridable) {
+  if (IsUserClockInThePast(base::Time::NowFromSystemTime()))
+    RecordSSLInterstitialCause(overridable, CLOCK_PAST);
+  if (IsUserClockInTheFuture(base::Time::NowFromSystemTime()))
+    RecordSSLInterstitialCause(overridable, CLOCK_FUTURE);
+}

chrome/browser/ssl/ssl_error_classification.h

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_
+#define CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_
+
+#include "base/time/time.h"
+#include "net/cert/x509_certificate.h"
+
+// This class calculates the severity scores for the different type of SSL
+// errors.
+class SSLErrorClassification {
+ public:
+  SSLErrorClassification(base::Time current_time,
+                         const net::X509Certificate& cert);
+  ~SSLErrorClassification();
+
+  // This method checks whether the user clock is in the past or not.
+  static bool IsUserClockInThePast(base::Time time_now);
+
+  // This method checks whether the system time is too far in the future or
+  // the user is using a version of Chrome which is more than 1 year old.
+  static bool IsUserClockInTheFuture(base::Time time_now);
+
+  // A method which calculates the severity score when the ssl error is
+  // CERT_DATE_INVALID.
+  float InvalidDateSeverityScore() const;
+
+  static void RecordUMAStatistics(bool overridable);
+  base::TimeDelta TimePassedSinceExpiry() const;
+
+ private:
+  FRIEND_TEST_ALL_PREFIXES(SSLErrorClassification, TestDateInvalidScore);
+
+  float CalculateScoreTimePassedSinceExpiry() const;
+
+  // This stores the current time.
+  base::Time current_time_;
+
+  // This stores the certificate.
+  const net::X509Certificate& cert_;
+};
+
+#endif  // CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_

chrome/browser/ssl/ssl_error_classification_unittest.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/ssl_error_classification.h"
+
+#include "base/files/file_path.h"
+#include "base/time/time.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/test_certificate_data.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using base::Time;
+
+TEST(SSLErrorClassification, TestDateInvalidScore) {
+  base::FilePath certs_dir = net::GetTestCertsDirectory();
+  scoped_refptr<net::X509Certificate> expired_cert =
+      net::ImportCertFromFile(certs_dir, "expired_cert.pem");
+  base::Time time;
+
+  {
+    EXPECT_TRUE(base::Time::FromString("Wed, 03 Jan 2007 12:00:00 GMT", &time));
+    SSLErrorClassification ssl_error(time, *expired_cert);
+    EXPECT_FLOAT_EQ(0.2f, ssl_error.CalculateScoreTimePassedSinceExpiry());
+  }
+
+  {
+    EXPECT_TRUE(base::Time::FromString("Sat, 06 Jan 2007 12:00:00 GMT", &time));
+    SSLErrorClassification ssl_error(time, *expired_cert);
+    EXPECT_FLOAT_EQ(0.3f, ssl_error.CalculateScoreTimePassedSinceExpiry());
+  }
+
+  {
+    EXPECT_TRUE(base::Time::FromString("Mon, 08 Jan 2007 12:00:00 GMT", &time));
+    SSLErrorClassification ssl_error(time, *expired_cert);
+    EXPECT_FLOAT_EQ(0.4f, ssl_error.CalculateScoreTimePassedSinceExpiry());
+  }
+
+}

chrome/chrome_browser.gypi

@@ -1250,6 +1250,8 @@
       'browser/ssl/ssl_client_certificate_selector.h',
       'browser/ssl/ssl_error_info.cc',
       'browser/ssl/ssl_error_info.h',
+      'browser/ssl/ssl_error_classification.cc',
+      'browser/ssl/ssl_error_classification.h',
       'browser/status_icons/status_icon.cc',
       'browser/status_icons/status_icon.h',
       'browser/status_icons/status_icon_menu_model.cc',

chrome/chrome_tests_unit.gypi

@@ -1323,6 +1323,7 @@
         'browser/spellchecker/spellcheck_service_unittest.cc',
         'browser/spellchecker/spelling_service_client_unittest.cc',
         'browser/spellchecker/word_trimmer_unittest.cc',
+        'browser/ssl/ssl_error_classification_unittest.cc',
         'browser/status_icons/status_icon_menu_model_unittest.cc',
         'browser/status_icons/status_icon_unittest.cc',
         'browser/status_icons/status_tray_unittest.cc',