Privacy/Reviews/Telemetry/SSL Certificates And Errors: Difference between revisions

Jump to navigation Jump to search

Privacy/Reviews/Telemetry/SSL Certificates And Errors (view source)

Revision as of 19:43, 30 December 2011

238 bytes removed ,  30 December 2011
→‎Measurement to Collect
Line 24: Line 24:


== Measurement to Collect ==
== Measurement to Collect ==
We will collect seven histograms of data.
We will collect five categories of data in nine histograms
* SSL OK
0 - Certificate was bad
1 - Certificate was good
* SSL/TLS Version
* SSL/TLS Version
  0 - Unknown SSL/TLS Version
  0 - Unknown SSL/TLS Version
Line 35: Line 32:
  4 - SSLv3.1 / TLS 1.0
  4 - SSLv3.1 / TLS 1.0
* Negotiated Ciphersuite
* Negotiated Ciphersuite
** The values are an index mapping to the array SSL_ImplementedCiphers in [http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/sslenum.c sslenum.c]
** All implemented ciphersuites will be collected, though partitioned into different histograms
** If elliptic curve cryptography (ECC) is not enabled at compile time, then the values are stored as index + 256. This leaks some information about a user's build.
** CIPHERSUITE
** Retrieving the ciphersuite from the data involves performing a lookup in the table, adjusting for ECC if needed.
*** These are SSLv3+ ciphersuites that are less than 0x0100
  n - Index into SSL_ImplementedCiphers
** CIPHERSUITE_OTHER
* Generic SSL/TLS Certificate Error
*** These are SSLv2 / informational ciphersuites that which start with either 0xFE or 0xFF
** Based on errors defined in ]mxr.mozilla.org/mozilla-central/source/security/nss/lib/util/secerr.h secerr.h]
** CIPHERSUITE_C0
** Value is calculated by subtracting SSL_ERROR_BASE from the errorcode
*** These are ECC ciphers that start with 0xC0
n - SSL errorcode
** Converting from a bucket to ciphersuite involves taking the bitwise-or of the high-bit for histogram and the bucket.
* Detailed SSL/TLS Certificate Error
*** There are no collisions in the CIPHERSUITE_OTHER case for now.
** The above generic errors may map to more specific errors
  n - Index into ciphersuite partition
** More than one of the below errors can occur. The resulting value will be the bitwise-or of the applicable flags
* Error
** Untrusted Issuer/Domain Mismatch/Invalid Time are defined in [http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsICertOverrideService.idl nsICertOverrideService.idl]
** SSL_ERROR
0 - Certificate Revoked
*** Errors of the form SSL_ERROR_x defined in [http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/sslerr.h sslerr.h]
1 - Self-signed Certificate
*** error base = (-0x3000)
2 - Untrusted Issuer
** SSL_ERROR_SEC
4 - Domain Mismatch
*** Errors of the form SEC_ERROR_x defined in [http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/util/secerr.h secerr.h]
  8 - Invalid Time (expired / not valid yet)
*** error base = (-0x2000)
** SSL_ERROR_NSPR
*** Errors of the form PR_x defined in prerr.h
*** error base = (-6000L)
  n - ErrorCode adjusted by appropriate error base
* Server RSA Public Key Modulus
* Server RSA Public Key Modulus
  0 - Server doesn't use RSA
  0 - Server doesn't use RSA
Dchan
Confirmed users
110

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/382562"

Navigation menu