Add two additional CT histograms

Desktop / Chromium - Emily Stark [] - 18 October 2017 04:29 EDT

- What percentage of connections with EV certificates are CT-compliant? We used to have this histogram but removed it when the EV whitelist was removed. I think it's still useful to have around, as it helps us gauge how often connections that are supposed to be CT-compliant are in fact CT-compliant. For example, a high rate of non-compliant EV certs might indicate that a CA is logging improperly.

- What percentage of connections where CT is required are actually CT-compliant? As above, this helps us judge whether servers that are supposed to send CT actually are. The existing count that we have of the ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error code is not enough to tell us this, because it doesn't tell us how many connections were actually supposed to have CT, only how many were supposed to but didn't.

The latter histogram requires a modification to the return value of TransportSecurityState::CheckCTRequirements; instead of returning early when a connection is compliant and telling the caller that CT requirements were met, it now differentiates "CT requirements met" from "CT wasn't required". (An alternative approach is to record the histogram inside CheckCTRequirements itself and not modify its return value, but I thought it was preferable to minimize side effects inside that method [even though it does already have other side effects, unfortunately].)

Bug: 772534 Change-Id: Ifd3d6f72475e07e1470b0d0b171f9ce0a325807e Reviewed-on: Commit-Queue: Emily Stark

0d9809e Add two additional CT histograms
net/http/ | 35 ++--
net/http/transport_security_state.h | 6 +-
net/http/ | 30 +--
.../chromium/crypto/ | 53 +++--
.../crypto/ | 225 +++++++++++++++++++++
net/socket/ | 49 ++++-
net/socket/ | 205 +++++++++++++++++++
net/spdy/chromium/ | 22 +-
tools/metrics/histograms/histograms.xml | 52 +++++
9 files changed, 610 insertions(+), 67 deletions(-)


  • Share