MozillaWiki

Privacy/Reviews/Telemetry/SSL Certificates And Errors: Difference between revisions

Page Discussion

Privacy/Reviews/Telemetry/SSL Certificates And Errors (view source)

Revision as of 23:11, 8 December 2011

101 bytes added ,  8 December 2011
→‎Measurement to Collect
Line 24: Line 24:


== Measurement to Collect ==
== Measurement to Collect ==
We will collect five histograms of data.
We will collect seven histograms of data.
* SSL OK
0 - Certificate was bad
1 - Certificate was good
* SSL/TLS Version
* SSL/TLS Version
  0 - Unknown SSL/TLS Version
  0 - Unknown SSL/TLS Version
Line 35: Line 38:
** If elliptic curve cryptography (ECC) is not enabled at compile time, then the values are stored as index + 256. This leaks some information about a user's build.
** If elliptic curve cryptography (ECC) is not enabled at compile time, then the values are stored as index + 256. This leaks some information about a user's build.
** Retrieving the ciphersuite from the data involves performing a lookup in the table, adjusting for ECC if needed.
** Retrieving the ciphersuite from the data involves performing a lookup in the table, adjusting for ECC if needed.
n - Index into SSL_ImplementedCiphers
* Generic SSL/TLS Certificate Error
* Generic SSL/TLS Certificate Error
** Below values are defined in [http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIX509Cert.idl nsIX509Cert.idl]
** Based on errors defined in ]mxr.mozilla.org/mozilla-central/source/security/nss/lib/util/secerr.h secerr.h]
** Mapping of below errors to NSS SEC_* errors can be found in [http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSCertificate.cpp nsNSSCertificate.cpp]
** Value is calculated by subtracting SSL_ERROR_BASE from the errorcode
0 - NOT_VERIFIED_UNKNOWN
  n - SSL errorcode
1 - CERT_REVOKED
2 - CERT_EXPIRED
3 - CERT_NOT_TRUSTED
4 - ISSUER_NOT_TRUSTED
5 - ISSUER_UNKNOWN
6 - INVALID_CA
  7 - USAGE_NOT_ALLOWED
* Detailed SSL/TLS Certificate Error
* Detailed SSL/TLS Certificate Error
** The above generic errors may map to more specific errors
** The above generic errors may map to more specific errors
** More than one of the below errors can occur. The resulting value will be the bitwise-or of the applicable flags
** More than one of the below errors can occur. The resulting value will be the bitwise-or of the applicable flags
*** Self-signed and untrusted can not occur at the same time
** Untrusted Issuer/Domain Mismatch/Invalid Time are defined in [http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsICertOverrideService.idl nsICertOverrideService.idl]
0 - Certificate Revoked
  1 - Self-signed Certificate
  1 - Self-signed Certificate
  2 - Untrusted Issuer
  2 - Untrusted Issuer
Line 57: Line 55:
  0 - Server doesn't use RSA
  0 - Server doesn't use RSA
  n - # of bits in server modulus
  n - # of bits in server modulus
* SSL/TLS Intolerant site
** Logs connection attempts to sites which do not implement TLS properly
1 - Server is intolerant


= Privacy Considerations =
= Privacy Considerations =
Dchan
Confirmed users
110

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/377213"