From 93272ab9ec84b4dd90a93fb2aab8ddd94f250d63 Mon Sep 17 00:00:00 2001
From: estark <estark@chromium.org>
Date: Wed, 25 Mar 2015 16:54:01 -0700
Subject: [PATCH] Add checkbox for reporting invalid TLS/SSL cert chains

This is a stub for now; eventually it will report invalid certificate
chains on SSL interstitials to a server endpoint. Right now it logs the
report but doesn't actually send it anywhere. The checkbox is
tied in with Safe Browsing Extended Reporting.

BUG=461588

Review URL: https://codereview.chromium.org/935663004

Cr-Commit-Position: refs/heads/master@{#322265}
---
 chrome/app/generated_resources.grd                 |   6 +
 chrome/browser/about_flags.cc                      |   9 +-
 chrome/browser/chrome_content_browser_client.cc    |   8 +-
 .../security_interstitial_metrics_helper.cc        |   3 +
 .../security_interstitial_metrics_helper.h         |   3 +
 .../interstitials/security_interstitial_page.cc    |  58 ++++++
 .../interstitials/security_interstitial_page.h     |  24 +++
 chrome/browser/net/certificate_error_reporter.cc   |  18 +-
 chrome/browser/net/certificate_error_reporter.h    |  14 +-
 .../net/certificate_error_reporter_unittest.cc     |  10 +-
 .../net/chrome_fraudulent_certificate_reporter.cc  |   3 +-
 ...ome_fraudulent_certificate_reporter_unittest.cc |   5 +-
 .../security_warnings/extended_reporting.js        |  40 +++++
 .../security_warnings/interstitial_v2.css          |  46 +++--
 .../security_warnings/interstitial_v2.html         |   4 +-
 .../resources/security_warnings/interstitial_v2.js |   2 +-
 .../resources/security_warnings/safe_browsing.js   |  25 ---
 chrome/browser/safe_browsing/ping_manager.cc       |  33 +++-
 chrome/browser/safe_browsing/ping_manager.h        |  17 ++
 .../safe_browsing/safe_browsing_blocking_page.cc   |  81 +++------
 .../safe_browsing/safe_browsing_blocking_page.h    |   8 +-
 .../safe_browsing_blocking_page_test.cc            |   4 +-
 chrome/browser/safe_browsing/ui_manager.cc         |  29 ++-
 chrome/browser/safe_browsing/ui_manager.h          |  16 +-
 chrome/browser/ssl/ssl_blocking_page.cc            | 130 +++++++++++---
 chrome/browser/ssl/ssl_blocking_page.h             |  24 ++-
 chrome/browser/ssl/ssl_browser_tests.cc            | 198 ++++++++++++++++++++-
 chrome/browser/ssl/ssl_error_handler.cc            |  29 +--
 chrome/browser/ssl/ssl_error_handler.h             |   6 +
 chrome/browser/ssl/ssl_error_handler_unittest.cc   |   4 +-
 .../ui/webui/interstitials/interstitial_ui.cc      |  10 +-
 chrome/common/chrome_switches.cc                   |   3 +
 chrome/common/chrome_switches.h                    |   1 +
 tools/metrics/histograms/histograms.xml            |  12 ++
 34 files changed, 707 insertions(+), 176 deletions(-)
 create mode 100644 chrome/browser/resources/security_warnings/extended_reporting.js
 delete mode 100644 chrome/browser/resources/security_warnings/safe_browsing.js

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index 880876f77040..2893fc744112 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -15826,6 +15826,12 @@ Do you accept?
         <ph name="EVENT_NAME">$3<ex>Event Description</ex></ph>
       </message>
 
+      <message name="IDS_ENABLE_INVALID_CERT_COLLECTION" desc="Name of the 'Enable invalid certificate collection' flag.">
+        Enable opt-in for reporting invalid TLS/SSL certificate chains
+      </message>
+      <message name="IDS_ENABLE_INVALID_CERT_COLLECTION_DESCRIPTION" desc="Description of the 'Enable invalid certificate collection' flag.">
+        Allows users to opt in to the collection of invalid TLS/SSL certificate chains.
+      </message>
     </messages>
   </release>
 </grit>
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
index 00e63375d1c9..e3dd1db7debd 100644
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -2269,7 +2269,14 @@ const Experiment kExperiments[] = {
     IDS_FLAGS_ENABLE_MEDIA_ROUTER_DESCRIPTION,
     kOsAll,
     SINGLE_VALUE_TYPE(switches::kEnableMediaRouter)
-  }
+  },
+  {
+    "enable-cert-collection",
+    IDS_ENABLE_INVALID_CERT_COLLECTION,
+    IDS_ENABLE_INVALID_CERT_COLLECTION_DESCRIPTION,
+    kOsAll,
+    SINGLE_VALUE_TYPE(switches::kEnableInvalidCertCollection)
+  },
 
   // NOTE: Adding new command-line switches requires adding corresponding
   // entries to enum "LoginCustomFlags" in histograms.xml. See note in
diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
index c1869b95dda6..12671618756e 100644
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc
@@ -60,6 +60,7 @@
 #include "chrome/browser/push_messaging/push_messaging_permission_context_factory.h"
 #include "chrome/browser/renderer_host/chrome_render_message_filter.h"
 #include "chrome/browser/renderer_host/pepper/chrome_browser_pepper_host_factory.h"
+#include "chrome/browser/safe_browsing/safe_browsing_service.h"
 #include "chrome/browser/search/instant_service.h"
 #include "chrome/browser/search/instant_service_factory.h"
 #include "chrome/browser/search/search.h"
@@ -1803,8 +1804,13 @@ void ChromeContentBrowserClient::AllowCertificateError(
   if (expired_previous_decision)
     options_mask |= SSLBlockingPage::EXPIRED_BUT_PREVIOUSLY_ALLOWED;
 
+  SafeBrowsingService* safe_browsing_service =
+      g_browser_process->safe_browsing_service();
   SSLErrorHandler::HandleSSLError(
-      tab, cert_error, ssl_info, request_url, options_mask, callback);
+      tab, cert_error, ssl_info, request_url, options_mask,
+      safe_browsing_service ? safe_browsing_service->ui_manager().get()
+                            : nullptr,
+      callback);
 }
 
 void ChromeContentBrowserClient::SelectClientCertificate(
diff --git a/chrome/browser/interstitials/security_interstitial_metrics_helper.cc b/chrome/browser/interstitials/security_interstitial_metrics_helper.cc
index ab2a143492af..433fcab3201f 100644
--- a/chrome/browser/interstitials/security_interstitial_metrics_helper.cc
+++ b/chrome/browser/interstitials/security_interstitial_metrics_helper.cc
@@ -151,6 +151,9 @@ void SecurityInterstitialMetricsHelper::RecordUserInteraction(
     case RELOAD:
     case OPEN_TIME_SETTINGS:
     case TOTAL_VISITS:
+    case SET_EXTENDED_REPORTING_ENABLED:
+    case SET_EXTENDED_REPORTING_DISABLED:
+    case EXTENDED_REPORTING_IS_ENABLED:
     case MAX_INTERACTION:
       break;
   }
diff --git a/chrome/browser/interstitials/security_interstitial_metrics_helper.h b/chrome/browser/interstitials/security_interstitial_metrics_helper.h
index 1808852bc987..0224bc9bc62d 100644
--- a/chrome/browser/interstitials/security_interstitial_metrics_helper.h
+++ b/chrome/browser/interstitials/security_interstitial_metrics_helper.h
@@ -42,6 +42,9 @@ class SecurityInterstitialMetricsHelper {
     SHOW_LEARN_MORE,
     RELOAD,
     OPEN_TIME_SETTINGS,
+    SET_EXTENDED_REPORTING_ENABLED,
+    SET_EXTENDED_REPORTING_DISABLED,
+    EXTENDED_REPORTING_IS_ENABLED,
     MAX_INTERACTION
   };
 
diff --git a/chrome/browser/interstitials/security_interstitial_page.cc b/chrome/browser/interstitials/security_interstitial_page.cc
index 1370f1cb811d..3551d1215936 100644
--- a/chrome/browser/interstitials/security_interstitial_page.cc
+++ b/chrome/browser/interstitials/security_interstitial_page.cc
@@ -5,20 +5,40 @@
 #include "chrome/browser/interstitials/security_interstitial_page.h"
 
 #include "base/i18n/rtl.h"
+
+#include "base/metrics/histogram.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
+#include "chrome/browser/interstitials/security_interstitial_metrics_helper.h"
+#include "chrome/browser/net/referrer.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/grit/browser_resources.h"
+#include "chrome/grit/generated_resources.h"
+#include "components/google/core/browser/google_util.h"
 #include "content/public/browser/interstitial_page.h"
+#include "content/public/browser/page_navigator.h"
 #include "content/public/browser/web_contents.h"
 #include "net/base/net_util.h"
+#include "ui/base/l10n/l10n_util.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/webui/jstemplate_builder.h"
 #include "ui/base/webui/web_ui_util.h"
 
+namespace interstitials {
+const char kBoxChecked[] = "boxchecked";
+const char kDisplayCheckBox[] = "displaycheckbox";
+const char kOptInLink[] = "optInLink";
+const char kPrivacyLinkHtml[] =
+    "<a id=\"privacy-link\" href=\"\" onclick=\"sendCommand(%d); "
+    "return false;\" onmousedown=\"return false;\">%s</a>";
+}
+
+using content::OpenURLParams;
+using content::Referrer;
+
 SecurityInterstitialPage::SecurityInterstitialPage(
     content::WebContents* web_contents,
     const GURL& request_url)
@@ -58,6 +78,44 @@ void SecurityInterstitialPage::Show() {
   interstitial_page_->Show();
 }
 
+void SecurityInterstitialPage::SetReportingPreference(bool report) {
+  Profile* profile =
+      Profile::FromBrowserContext(web_contents()->GetBrowserContext());
+  PrefService* pref = profile->GetPrefs();
+  pref->SetBoolean(prefs::kSafeBrowsingExtendedReportingEnabled, report);
+  metrics_helper()->RecordUserInteraction(
+      report
+          ? SecurityInterstitialMetricsHelper::SET_EXTENDED_REPORTING_ENABLED
+          : SecurityInterstitialMetricsHelper::SET_EXTENDED_REPORTING_DISABLED);
+}
+
+bool SecurityInterstitialPage::IsPrefEnabled(const char* pref) {
+  Profile* profile =
+      Profile::FromBrowserContext(web_contents()->GetBrowserContext());
+  return profile->GetPrefs()->GetBoolean(pref);
+}
+
+void SecurityInterstitialPage::OpenExtendedReportingPrivacyPolicy() {
+  metrics_helper()->RecordUserInteraction(
+      SecurityInterstitialMetricsHelper::SHOW_PRIVACY_POLICY);
+  GURL privacy_url(
+      l10n_util::GetStringUTF8(IDS_SAFE_BROWSING_PRIVACY_POLICY_URL));
+  privacy_url = google_util::AppendGoogleLocaleParam(
+      privacy_url, g_browser_process->GetApplicationLocale());
+  OpenURLParams params(privacy_url, Referrer(), CURRENT_TAB,
+                       ui::PAGE_TRANSITION_LINK, false);
+  web_contents()->OpenURL(params);
+}
+
+SecurityInterstitialMetricsHelper* SecurityInterstitialPage::metrics_helper() {
+  return metrics_helper_.get();
+}
+
+void SecurityInterstitialPage::set_metrics_helper(
+    SecurityInterstitialMetricsHelper* metrics_helper) {
+  metrics_helper_.reset(metrics_helper);
+}
+
 base::string16 SecurityInterstitialPage::GetFormattedHostName() const {
   std::string languages;
   Profile* profile =
diff --git a/chrome/browser/interstitials/security_interstitial_page.h b/chrome/browser/interstitials/security_interstitial_page.h
index d3bf1e22a233..2f1520ed3a9e 100644
--- a/chrome/browser/interstitials/security_interstitial_page.h
+++ b/chrome/browser/interstitials/security_interstitial_page.h
@@ -18,6 +18,16 @@ class InterstitialPage;
 class WebContents;
 }
 
+namespace interstitials {
+// Constants used to communicate with the JavaScript.
+extern const char kBoxChecked[];
+extern const char kDisplayCheckBox[];
+extern const char kOptInLink[];
+extern const char kPrivacyLinkHtml[];
+}
+
+class SecurityInterstitialMetricsHelper;
+
 class SecurityInterstitialPage : public content::InterstitialPageDelegate {
  public:
   // These represent the commands sent from the interstitial JavaScript.
@@ -72,7 +82,21 @@ class SecurityInterstitialPage : public content::InterstitialPageDelegate {
   content::WebContents* web_contents() const;
   GURL request_url() const;
 
+  // Record the user's preference for reporting information about
+  // malware and SSL errors.
+  void SetReportingPreference(bool report);
+
+  // Returns the boolean value of the given |pref| from the PrefService of the
+  // Profile associated with |web_contents_|.
+  bool IsPrefEnabled(const char* pref);
+
+  void OpenExtendedReportingPrivacyPolicy();
+
+  SecurityInterstitialMetricsHelper* metrics_helper();
+  void set_metrics_helper(SecurityInterstitialMetricsHelper* metrics_helper);
+
  private:
+  scoped_ptr<SecurityInterstitialMetricsHelper> metrics_helper_;
   content::WebContents* web_contents_;
   const GURL request_url_;
   // Once shown, |interstitial_page| takes ownership of this
diff --git a/chrome/browser/net/certificate_error_reporter.cc b/chrome/browser/net/certificate_error_reporter.cc
index 02672068dd7b..65c1e054b4d3 100644
--- a/chrome/browser/net/certificate_error_reporter.cc
+++ b/chrome/browser/net/certificate_error_reporter.cc
@@ -22,9 +22,11 @@ namespace chrome_browser_net {
 
 CertificateErrorReporter::CertificateErrorReporter(
     net::URLRequestContext* request_context,
-    const GURL& upload_url)
-    : request_context_(request_context), upload_url_(upload_url) {
-  DCHECK(!upload_url.is_empty());
+    const GURL& upload_url,
+    CookiesPreference cookies_preference)
+    : request_context_(request_context),
+      upload_url_(upload_url),
+      cookies_preference_(cookies_preference) {
 }
 
 CertificateErrorReporter::~CertificateErrorReporter() {
@@ -34,6 +36,7 @@ CertificateErrorReporter::~CertificateErrorReporter() {
 void CertificateErrorReporter::SendReport(ReportType type,
                                           const std::string& hostname,
                                           const net::SSLInfo& ssl_info) {
+  DCHECK(!upload_url_.is_empty());
   CertLoggerRequest request;
   std::string out;
 
@@ -47,8 +50,7 @@ void CertificateErrorReporter::SendReport(ReportType type,
       // TODO(estark): Double-check that the user is opted in.
       // TODO(estark): Temporarily, since this is no upload endpoint, just
       // log the information.
-      request.SerializeToString(&out);
-      DVLOG(3) << "SSL report for " << hostname << ":\n" << out << "\n\n";
+      DVLOG(1) << "Would send certificate report for " << hostname;
       break;
     default:
       NOTREACHED();
@@ -76,8 +78,10 @@ scoped_ptr<net::URLRequest> CertificateErrorReporter::CreateURLRequest(
     net::URLRequestContext* context) {
   scoped_ptr<net::URLRequest> request =
       context->CreateRequest(upload_url_, net::DEFAULT_PRIORITY, this);
-  request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
-                        net::LOAD_DO_NOT_SAVE_COOKIES);
+  if (cookies_preference_ != SEND_COOKIES) {
+    request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES |
+                          net::LOAD_DO_NOT_SAVE_COOKIES);
+  }
   return request.Pass();
 }
 
diff --git a/chrome/browser/net/certificate_error_reporter.h b/chrome/browser/net/certificate_error_reporter.h
index 5463d5a74bd6..e14f7659eab5 100644
--- a/chrome/browser/net/certificate_error_reporter.h
+++ b/chrome/browser/net/certificate_error_reporter.h
@@ -36,15 +36,21 @@ class CertificateErrorReporter : public net::URLRequest::Delegate {
     REPORT_TYPE_EXTENDED_REPORTING
   };
 
+  // Represents whether or not to send cookies along with reports sent
+  // to the server.
+  enum CookiesPreference { SEND_COOKIES, DO_NOT_SEND_COOKIES };
+
   // Create a certificate error reporter that will send certificate
   // error reports to |upload_url|, using |request_context| as the
-  // context for the reports.
+  // context for the reports. |cookies_preference| controls whether
+  // cookies will be sent along with the reports.
   CertificateErrorReporter(net::URLRequestContext* request_context,
-                           const GURL& upload_url);
+                           const GURL& upload_url,
+                           CookiesPreference cookies_preference);
 
   ~CertificateErrorReporter() override;
 
-  // Construct, serialize, and send a certificate reporter to the report
+  // Construct, serialize, and send a certificate report to the report
   // collection server containing the |ssl_info| associated with a
   // connection to |hostname|.
   virtual void SendReport(ReportType type,
@@ -79,6 +85,8 @@ class CertificateErrorReporter : public net::URLRequest::Delegate {
   // Owns the contained requests.
   std::set<net::URLRequest*> inflight_requests_;
 
+  CookiesPreference cookies_preference_;
+
   DISALLOW_COPY_AND_ASSIGN(CertificateErrorReporter);
 };
 
diff --git a/chrome/browser/net/certificate_error_reporter_unittest.cc b/chrome/browser/net/certificate_error_reporter_unittest.cc
index 1647776df9ec..843050d19349 100644
--- a/chrome/browser/net/certificate_error_reporter_unittest.cc
+++ b/chrome/browser/net/certificate_error_reporter_unittest.cc
@@ -201,7 +201,8 @@ void SendReport(TestCertificateErrorReporterNetworkDelegate* network_delegate,
   network_delegate->set_expected_url(url);
   network_delegate->ExpectHostname(report_hostname);
 
-  CertificateErrorReporter reporter(context, url);
+  CertificateErrorReporter reporter(
+      context, url, CertificateErrorReporter::DO_NOT_SEND_COOKIES);
 
   EXPECT_EQ(request_sequence_number, network_delegate->num_requests());
 
@@ -235,7 +236,8 @@ TEST_F(CertificateErrorReporterTest, SendMultipleReportsSimultaneously) {
   network_delegate()->ExpectHostname(kHostname);
   network_delegate()->ExpectHostname(kSecondRequestHostname);
 
-  CertificateErrorReporter reporter(context(), url);
+  CertificateErrorReporter reporter(
+      context(), url, CertificateErrorReporter::DO_NOT_SEND_COOKIES);
 
   EXPECT_EQ(0, network_delegate()->num_requests());
 
@@ -264,8 +266,8 @@ TEST_F(CertificateErrorReporterTest, PendingRequestGetsDeleted) {
 
   EXPECT_EQ(0, network_delegate()->num_requests());
 
-  scoped_ptr<CertificateErrorReporter> reporter(
-      new CertificateErrorReporter(context(), url));
+  scoped_ptr<CertificateErrorReporter> reporter(new CertificateErrorReporter(
+      context(), url, CertificateErrorReporter::DO_NOT_SEND_COOKIES));
   reporter->SendReport(CertificateErrorReporter::REPORT_TYPE_PINNING_VIOLATION,
                        kHostname, GetTestSSLInfo());
   reporter.reset();
diff --git a/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc b/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc
index 2759a97b5374..1c6dd486a5bc 100644
--- a/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc
+++ b/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc
@@ -25,7 +25,8 @@ ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter(
     net::URLRequestContext* request_context)
     : certificate_reporter_(new CertificateErrorReporter(
           request_context,
-          GURL(kFraudulentCertificateUploadEndpoint))) {
+          GURL(kFraudulentCertificateUploadEndpoint),
+          CertificateErrorReporter::DO_NOT_SEND_COOKIES)) {
 }
 
 ChromeFraudulentCertificateReporter::ChromeFraudulentCertificateReporter(
diff --git a/chrome/browser/net/chrome_fraudulent_certificate_reporter_unittest.cc b/chrome/browser/net/chrome_fraudulent_certificate_reporter_unittest.cc
index 13aa5ef59ce1..f3ecf4812197 100644
--- a/chrome/browser/net/chrome_fraudulent_certificate_reporter_unittest.cc
+++ b/chrome/browser/net/chrome_fraudulent_certificate_reporter_unittest.cc
@@ -118,7 +118,10 @@ class NotSendingTestReporter : public TestReporter {
 class MockReporter : public CertificateErrorReporter {
  public:
   explicit MockReporter(net::URLRequestContext* request_context)
-      : CertificateErrorReporter(request_context, GURL("http://example.com")) {}
+      : CertificateErrorReporter(
+            request_context,
+            GURL("http://example.com"),
+            CertificateErrorReporter::DO_NOT_SEND_COOKIES) {}
 
   void SendReport(ReportType type,
                   const std::string& hostname,
diff --git a/chrome/browser/resources/security_warnings/extended_reporting.js b/chrome/browser/resources/security_warnings/extended_reporting.js
new file mode 100644
index 000000000000..51b4b21c4f9d
--- /dev/null
+++ b/chrome/browser/resources/security_warnings/extended_reporting.js
@@ -0,0 +1,40 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+'use strict';
+
+// Other constants defined in security_interstitial_page.h.
+var SB_BOX_CHECKED = 'boxchecked';
+var SB_DISPLAY_CHECK_BOX = 'displaycheckbox';
+
+// This sets up the Extended Safe Browsing Reporting opt-in, either for
+// reporting malware or invalid certificate chains. Does nothing if the
+// interstitial type is not SAFEBROWSING or SSL.
+function setupExtendedReportingCheckbox() {
+  var interstitialType = loadTimeData.getString('type');
+  if (interstitialType != 'SAFEBROWSING' && interstitialType != 'SSL') {
+    return;
+  }
+
+  if (!loadTimeData.getBoolean(SB_DISPLAY_CHECK_BOX)) {
+    return;
+  }
+
+  $('opt-in-label').innerHTML = loadTimeData.getString('optInLink');
+  $('opt-in-checkbox').checked = loadTimeData.getBoolean(SB_BOX_CHECKED);
+  $('extended-reporting-opt-in').classList.remove('hidden');
+
+  var className = interstitialType == 'SAFEBROWSING' ?
+                  'safe-browsing-opt-in' :
+                  'ssl-opt-in';
+  $('extended-reporting-opt-in').classList.add(className);
+
+  $('body').classList.add('extended-reporting-has-checkbox');
+
+  $('opt-in-checkbox').addEventListener('click', function() {
+    sendCommand($('opt-in-checkbox').checked ?
+                CMD_DO_REPORT :
+                CMD_DONT_REPORT);
+  });
+}
diff --git a/chrome/browser/resources/security_warnings/interstitial_v2.css b/chrome/browser/resources/security_warnings/interstitial_v2.css
index ee9a19f33774..ca6750b0bcc2 100644
--- a/chrome/browser/resources/security_warnings/interstitial_v2.css
+++ b/chrome/browser/resources/security_warnings/interstitial_v2.css
@@ -146,7 +146,7 @@ input[type=checkbox] {
   display: inline;
 }
 
-#malware-opt-in {
+#extended-reporting-opt-in {
   font-size: .875em;
   margin-top: 39px;
 }
@@ -224,7 +224,6 @@ input[type=checkbox] {
 
 .styled-checkbox label {
   background: transparent;
-  border: white solid 1px;
   border-radius: 2px;
   height: 14px;
   left: 0;
@@ -236,9 +235,6 @@ input[type=checkbox] {
 
 .styled-checkbox .checkbox-tick {
   background: transparent;
-  border: 2px solid white;
-  border-right-width: 0;
-  border-top-width: 0;
   content: '';
   height: 4px;
   left: 2px;
@@ -249,6 +245,26 @@ input[type=checkbox] {
   width: 9px;
 }
 
+.safe-browsing-opt-in .styled-checkbox label {
+  border: white solid 1px;
+}
+
+.safe-browsing-opt-in .styled-checkbox .checkbox-tick {
+  border: white solid 1px;
+  border-right-width: 0;
+  border-top-width: 0;
+}
+
+.ssl-opt-in .styled-checkbox label {
+  border: #696969 solid 1px;
+}
+
+.ssl-opt-in .styled-checkbox .checkbox-tick {
+  border: #696969 solid 1px;
+  border-right-width: 0;
+  border-top-width: 0;
+}
+
 .styled-checkbox input[type=checkbox]:checked ~ .checkbox-tick {
   opacity: 1;
 }
@@ -304,7 +320,7 @@ input[type=checkbox] {
     padding: 0 5%;
   }
 
-  #malware-opt-in {
+  #extended-reporting-opt-in {
     margin-top: 24px;
   }
 
@@ -442,7 +458,7 @@ input[type=checkbox] {
 }
 
 @media (min-height: 400px) and (orientation:portrait) {
-  body:not(.safe-browsing-has-checkbox) .interstitial-wrapper {
+  body:not(.extended-reporting-has-checkbox) .interstitial-wrapper {
     margin-bottom: 145px;
   }
 }
@@ -476,7 +492,7 @@ input[type=checkbox] {
 }
 
 @media (min-height: 500px) and (max-width: 414px) and (orientation: portrait) {
-  :not(.safe-browsing-has-checkbox) .interstitial-wrapper {
+  :not(.extended-reporting-has-checkbox) .interstitial-wrapper {
     margin-top: 96px;
   }
 }
@@ -558,7 +574,7 @@ input[type=checkbox] {
     margin-top: 0;
   }
 
-  #malware-opt-in {
+  #extended-reporting-opt-in {
     margin-top: 0;
   }
 }
@@ -618,30 +634,30 @@ input[type=checkbox] {
   }
 }
 
-/* Malware opt-in. No fixed nav. */
+/* Extended reporting opt-in. No fixed nav. */
 @media (max-height: 600px) and (orientation: portrait),
        (max-height: 360px) and (max-width: 680px) and (orientation: landscape) {
-  .safe-browsing-has-checkbox .interstitial-wrapper {
+  .extended-reporting-has-checkbox .interstitial-wrapper {
     display: flex;
     flex-direction: column;
     margin-bottom: 0;
   }
 
-  .safe-browsing-has-checkbox #details {
+  .extended-reporting-has-checkbox #details {
     flex: 1 1 auto;
     order: 0;
   }
 
-  .safe-browsing-has-checkbox #main-content {
+  .extended-reporting-has-checkbox #main-content {
     flex: 1 1 auto;
     order: 0;
   }
 
-  .safe-browsing-has-checkbox #malware-opt-in {
+  .extended-reporting-has-checkbox #extended-reporting-opt-in {
     margin-bottom: 8px;
   }
 
-  body.safe-browsing-has-checkbox .nav-wrapper {
+  body.extended-reporting-has-checkbox .nav-wrapper {
     flex: 0 1 auto;
     margin-top: 0;
     order: 1;
diff --git a/chrome/browser/resources/security_warnings/interstitial_v2.html b/chrome/browser/resources/security_warnings/interstitial_v2.html
index b06fe1fb7699..a4b7ca9de7e6 100644
--- a/chrome/browser/resources/security_warnings/interstitial_v2.html
+++ b/chrome/browser/resources/security_warnings/interstitial_v2.html
@@ -9,7 +9,7 @@
   <script src="../../../../ui/webui/resources/js/util.js"></script>
   <script src="captive_portal.js"></script>
   <script src="ssl.js"></script>
-  <script src="safe_browsing.js"></script>
+  <script src="extended_reporting.js"></script>
   <script src="interstitial_v2_mobile.js"></script>
   <script src="interstitial_v2.js"></script>
 </head>
@@ -25,7 +25,7 @@
           <div id="error-debugging-info" class="hidden"></div>
         </div>
       </div>
-      <div id="malware-opt-in" class="hidden">
+      <div id="extended-reporting-opt-in" class="hidden">
         <div class="styled-checkbox">
           <label>
             <input type="checkbox" id="opt-in-checkbox">
diff --git a/chrome/browser/resources/security_warnings/interstitial_v2.js b/chrome/browser/resources/security_warnings/interstitial_v2.js
index 925d0b9d1848..bd192725247b 100644
--- a/chrome/browser/resources/security_warnings/interstitial_v2.js
+++ b/chrome/browser/resources/security_warnings/interstitial_v2.js
@@ -173,7 +173,7 @@ function setupEvents() {
   }
 
   preventDefaultOnPoundLinkClicks();
-  setupCheckbox();
+  setupExtendedReportingCheckbox();
   setupSSLDebuggingInfo();
   document.addEventListener('keypress', handleKeypress);
 }
diff --git a/chrome/browser/resources/security_warnings/safe_browsing.js b/chrome/browser/resources/security_warnings/safe_browsing.js
deleted file mode 100644
index 1fa4555072bf..000000000000
--- a/chrome/browser/resources/security_warnings/safe_browsing.js
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Other constants defined in safe_browsing_blocking_page.cc.
-var SB_BOX_CHECKED = 'boxchecked';
-var SB_DISPLAY_CHECK_BOX = 'displaycheckbox';
-
-// This sets up the Extended Safe Browsing Reporting opt-in.
-function setupCheckbox() {
-  if (loadTimeData.getString('type') != 'SAFEBROWSING' ||
-      !loadTimeData.getBoolean(SB_DISPLAY_CHECK_BOX)) {
-    return;
-  }
-
-  $('opt-in-label').innerHTML = loadTimeData.getString('optInLink');
-  $('opt-in-checkbox').checked = loadTimeData.getBoolean(SB_BOX_CHECKED);
-  $('malware-opt-in').classList.remove('hidden');
-  $('body').classList.add('safe-browsing-has-checkbox');
-
-  $('opt-in-checkbox').addEventListener('click', function() {
-    sendCommand(
-        $('opt-in-checkbox').checked ? CMD_DO_REPORT : CMD_DONT_REPORT);
-  });
-}
diff --git a/chrome/browser/safe_browsing/ping_manager.cc b/chrome/browser/safe_browsing/ping_manager.cc
index 04783410fcef..947d8910e313 100644
--- a/chrome/browser/safe_browsing/ping_manager.cc
+++ b/chrome/browser/safe_browsing/ping_manager.cc
@@ -8,17 +8,27 @@
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
+#include "chrome/browser/net/certificate_error_reporter.h"
 #include "chrome/common/env_vars.h"
 #include "content/public/browser/browser_thread.h"
 #include "google_apis/google_api_keys.h"
 #include "net/base/escape.h"
 #include "net/base/load_flags.h"
+#include "net/ssl/ssl_info.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "net/url_request/url_request_status.h"
+#include "url/gurl.h"
 
+using chrome_browser_net::CertificateErrorReporter;
 using content::BrowserThread;
 
+namespace {
+// URL to upload invalid certificate chain reports
+// TODO(estark): Fill this in with the real URL when live.
+const char kExtendedReportingUploadUrl[] = "";
+}  // namespace
+
 // SafeBrowsingPingManager implementation ----------------------------------
 
 // static
@@ -34,7 +44,14 @@ SafeBrowsingPingManager::SafeBrowsingPingManager(
     const SafeBrowsingProtocolConfig& config)
     : client_name_(config.client_name),
       request_context_getter_(request_context_getter),
-      url_prefix_(config.url_prefix) {
+      url_prefix_(config.url_prefix),
+      certificate_error_reporter_(
+          request_context_getter
+              ? new CertificateErrorReporter(
+                    request_context_getter->GetURLRequestContext(),
+                    GURL(kExtendedReportingUploadUrl),
+                    CertificateErrorReporter::SEND_COOKIES)
+              : nullptr) {
   DCHECK(!url_prefix_.empty());
 
   version_ = SafeBrowsingProtocolManagerHelper::Version();
@@ -95,6 +112,20 @@ void SafeBrowsingPingManager::ReportMalwareDetails(
   safebrowsing_reports_.insert(fetcher);
 }
 
+void SafeBrowsingPingManager::ReportInvalidCertificateChain(
+    const std::string& hostname,
+    const net::SSLInfo& ssl_info) {
+  DCHECK(certificate_error_reporter_);
+  certificate_error_reporter_->SendReport(
+      CertificateErrorReporter::REPORT_TYPE_EXTENDED_REPORTING, hostname,
+      ssl_info);
+}
+
+void SafeBrowsingPingManager::SetCertificateErrorReporterForTesting(
+    scoped_ptr<CertificateErrorReporter> certificate_error_reporter) {
+  certificate_error_reporter_ = certificate_error_reporter.Pass();
+}
+
 GURL SafeBrowsingPingManager::SafeBrowsingHitUrl(
     const GURL& malicious_url, const GURL& page_url,
     const GURL& referrer_url, bool is_subresource,
diff --git a/chrome/browser/safe_browsing/ping_manager.h b/chrome/browser/safe_browsing/ping_manager.h
index a33559b532b2..28c536ce0228 100644
--- a/chrome/browser/safe_browsing/ping_manager.h
+++ b/chrome/browser/safe_browsing/ping_manager.h
@@ -18,7 +18,12 @@
 #include "net/url_request/url_fetcher_delegate.h"
 #include "url/gurl.h"
 
+namespace chrome_browser_net {
+class CertificateErrorReporter;
+}
+
 namespace net {
+class SSLInfo;
 class URLRequestContextGetter;
 }  // namespace net
 
@@ -49,6 +54,14 @@ class SafeBrowsingPingManager : public net::URLFetcherDelegate {
   // malware reports. |report| is the serialized report.
   void ReportMalwareDetails(const std::string& report);
 
+  // Users can opt-in on the SSL interstitial to send reports of invalid
+  // certificate chains.
+  void ReportInvalidCertificateChain(const std::string& hostname,
+                                     const net::SSLInfo& ssl_info);
+
+  void SetCertificateErrorReporterForTesting(scoped_ptr<
+      chrome_browser_net::CertificateErrorReporter> certificate_error_reporter);
+
  private:
   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingPingManagerTest,
                            TestSafeBrowsingHitUrl);
@@ -88,6 +101,10 @@ class SafeBrowsingPingManager : public net::URLFetcherDelegate {
   // We add both "hit" and "detail" fetchers in this set.
   Reports safebrowsing_reports_;
 
+  // Sends reports of invalid SSL certificate chains.
+  scoped_ptr<chrome_browser_net::CertificateErrorReporter>
+      certificate_error_reporter_;
+
   DISALLOW_COPY_AND_ASSIGN(SafeBrowsingPingManager);
 };
 
diff --git a/chrome/browser/safe_browsing/safe_browsing_blocking_page.cc b/chrome/browser/safe_browsing/safe_browsing_blocking_page.cc
index 1fe998e56aa5..c04a8bc555ab 100644
--- a/chrome/browser/safe_browsing/safe_browsing_blocking_page.cc
+++ b/chrome/browser/safe_browsing/safe_browsing_blocking_page.cc
@@ -68,20 +68,12 @@ const char kLearnMoreMalwareUrlV2[] =
 const char kLearnMorePhishingUrlV2[] =
     "https://www.google.com/transparencyreport/safebrowsing/";
 
-const char kPrivacyLinkHtml[] =
-    "<a id=\"privacy-link\" href=\"\" onclick=\"sendCommand(%d); "
-    "return false;\" onmousedown=\"return false;\">%s</a>";
-
 // After a malware interstitial where the user opted-in to the report
 // but clicked "proceed anyway", we delay the call to
 // MalwareDetails::FinishCollection() by this much time (in
 // milliseconds).
 const int64 kMalwareDetailsProceedDelayMilliSeconds = 3000;
 
-// Other constants used to communicate with the JavaScript.
-const char kBoxChecked[] = "boxchecked";
-const char kDisplayCheckBox[] = "displaycheckbox";
-
 // Constants for the Experience Sampling instrumentation.
 const char kEventNameMalware[] = "safebrowsing_interstitial_";
 const char kEventNameHarmful[] = "harmful_interstitial_";
@@ -167,15 +159,15 @@ SafeBrowsingBlockingPage::SafeBrowsingBlockingPage(
 
   // This must be done after calculating |interstitial_reason_| above.
   // Use same prefix for UMA as for Rappor.
-  metrics_helper_.reset(new SecurityInterstitialMetricsHelper(
+  set_metrics_helper(new SecurityInterstitialMetricsHelper(
       web_contents, request_url(), GetMetricPrefix(), GetMetricPrefix(),
       SecurityInterstitialMetricsHelper::REPORT_RAPPOR,
       GetSamplingEventName()));
-  metrics_helper_->RecordUserDecision(SecurityInterstitialMetricsHelper::SHOW);
-  metrics_helper_->RecordUserInteraction(
+  metrics_helper()->RecordUserDecision(SecurityInterstitialMetricsHelper::SHOW);
+  metrics_helper()->RecordUserInteraction(
       SecurityInterstitialMetricsHelper::TOTAL_VISITS);
   if (IsPrefEnabled(prefs::kSafeBrowsingProceedAnywayDisabled)) {
-    metrics_helper_->RecordUserDecision(
+    metrics_helper()->RecordUserDecision(
         SecurityInterstitialMetricsHelper::PROCEEDING_DISABLED);
   }
 
@@ -231,7 +223,7 @@ void SafeBrowsingBlockingPage::CommandReceived(const std::string& page_cmd) {
     }
     case CMD_OPEN_HELP_CENTER: {
       // User pressed "Learn more".
-      metrics_helper_->RecordUserInteraction(
+      metrics_helper()->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::SHOW_LEARN_MORE);
       GURL learn_more_url(
           interstitial_reason_ == SB_REASON_PHISHING ?
@@ -248,24 +240,13 @@ void SafeBrowsingBlockingPage::CommandReceived(const std::string& page_cmd) {
     }
     case CMD_OPEN_REPORTING_PRIVACY: {
       // User pressed on the SB Extended Reporting "privacy policy" link.
-      metrics_helper_->RecordUserInteraction(
-          SecurityInterstitialMetricsHelper::SHOW_PRIVACY_POLICY);
-      GURL privacy_url(
-          l10n_util::GetStringUTF8(IDS_SAFE_BROWSING_PRIVACY_POLICY_URL));
-      privacy_url = google_util::AppendGoogleLocaleParam(
-          privacy_url, g_browser_process->GetApplicationLocale());
-      OpenURLParams params(privacy_url,
-                           Referrer(),
-                           CURRENT_TAB,
-                           ui::PAGE_TRANSITION_LINK,
-                           false);
-      web_contents()->OpenURL(params);
+      OpenExtendedReportingPrivacyPolicy();
       break;
     }
     case CMD_PROCEED: {
       // User pressed on the button to proceed.
       if (!IsPrefEnabled(prefs::kSafeBrowsingProceedAnywayDisabled)) {
-        metrics_helper_->RecordUserDecision(
+        metrics_helper()->RecordUserDecision(
             SecurityInterstitialMetricsHelper::PROCEED);
         interstitial_page()->Proceed();
         // |this| has been deleted after Proceed() returns.
@@ -304,7 +285,7 @@ void SafeBrowsingBlockingPage::CommandReceived(const std::string& page_cmd) {
       size_t element_index = 0;
       const UnsafeResource& unsafe_resource = unsafe_resources_[element_index];
       std::string bad_url_spec = unsafe_resource.url.spec();
-      metrics_helper_->RecordUserInteraction(
+      metrics_helper()->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::SHOW_DIAGNOSTIC);
       std::string diagnostic =
           base::StringPrintf(kSbDiagnosticUrl,
@@ -324,7 +305,7 @@ void SafeBrowsingBlockingPage::CommandReceived(const std::string& page_cmd) {
     }
     case CMD_SHOW_MORE_SECTION: {
       // User has opened up the hidden text.
-      metrics_helper_->RecordUserInteraction(
+      metrics_helper()->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::SHOW_ADVANCED);
       break;
     }
@@ -339,14 +320,6 @@ void SafeBrowsingBlockingPage::OverrideRendererPrefs(
       prefs, profile, web_contents());
 }
 
-void SafeBrowsingBlockingPage::SetReportingPreference(bool report) {
-  Profile* profile = Profile::FromBrowserContext(
-      web_contents()->GetBrowserContext());
-  PrefService* pref = profile->GetPrefs();
-  pref->SetBoolean(prefs::kSafeBrowsingExtendedReportingEnabled, report);
-  UMA_HISTOGRAM_BOOLEAN("SB2.SetExtendedReportingEnabled", report);
-}
-
 void SafeBrowsingBlockingPage::OnProceed() {
   proceeded_ = true;
   // Send the malware details, if we opted to.
@@ -390,7 +363,7 @@ void SafeBrowsingBlockingPage::OnDontProceed() {
     return;
 
   if (!IsPrefEnabled(prefs::kSafeBrowsingProceedAnywayDisabled)) {
-    metrics_helper_->RecordUserDecision(
+    metrics_helper()->RecordUserDecision(
         SecurityInterstitialMetricsHelper::DONT_PROCEED);
   }
 
@@ -431,20 +404,16 @@ void SafeBrowsingBlockingPage::FinishMalwareDetails(int64 delay_ms) {
 
   const bool enabled =
       IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled);
-  UMA_HISTOGRAM_BOOLEAN("SB2.ExtendedReportingIsEnabled", enabled);
-  if (enabled) {
-    // Finish the malware details collection, send it over.
-    BrowserThread::PostDelayedTask(
-        BrowserThread::IO, FROM_HERE,
-        base::Bind(&MalwareDetails::FinishCollection, malware_details_.get()),
-        base::TimeDelta::FromMilliseconds(delay_ms));
-  }
-}
+  if (!enabled)
+    return;
 
-bool SafeBrowsingBlockingPage::IsPrefEnabled(const char* pref) {
-  Profile* profile =
-      Profile::FromBrowserContext(web_contents()->GetBrowserContext());
-  return profile->GetPrefs()->GetBoolean(pref);
+  metrics_helper()->RecordUserInteraction(
+      SecurityInterstitialMetricsHelper::EXTENDED_REPORTING_IS_ENABLED);
+  // Finish the malware details collection, send it over.
+  BrowserThread::PostDelayedTask(
+      BrowserThread::IO, FROM_HERE,
+      base::Bind(&MalwareDetails::FinishCollection, malware_details_.get()),
+      base::TimeDelta::FromMilliseconds(delay_ms));
 }
 
 // static
@@ -588,21 +557,19 @@ void SafeBrowsingBlockingPage::PopulateExtendedReportingOption(
     base::DictionaryValue* load_time_data) {
   // Only show checkbox if !(HTTPS || incognito-mode).
   const bool show = CanShowMalwareDetailsOption();
-  load_time_data->SetBoolean(kDisplayCheckBox, show);
+  load_time_data->SetBoolean(interstitials::kDisplayCheckBox, show);
   if (!show)
     return;
 
   const std::string privacy_link = base::StringPrintf(
-      kPrivacyLinkHtml,
-      CMD_OPEN_REPORTING_PRIVACY,
-      l10n_util::GetStringUTF8(
-          IDS_SAFE_BROWSING_PRIVACY_POLICY_PAGE).c_str());
+      interstitials::kPrivacyLinkHtml, CMD_OPEN_REPORTING_PRIVACY,
+      l10n_util::GetStringUTF8(IDS_SAFE_BROWSING_PRIVACY_POLICY_PAGE).c_str());
   load_time_data->SetString(
-      "optInLink",
+      interstitials::kOptInLink,
       l10n_util::GetStringFUTF16(IDS_SAFE_BROWSING_MALWARE_REPORTING_AGREE,
                                  base::UTF8ToUTF16(privacy_link)));
   load_time_data->SetBoolean(
-      kBoxChecked,
+      interstitials::kBoxChecked,
       IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled));
 }
 
diff --git a/chrome/browser/safe_browsing/safe_browsing_blocking_page.h b/chrome/browser/safe_browsing/safe_browsing_blocking_page.h
index ea9704bfdc96..de5bbef4b756 100644
--- a/chrome/browser/safe_browsing/safe_browsing_blocking_page.h
+++ b/chrome/browser/safe_browsing/safe_browsing_blocking_page.h
@@ -90,7 +90,7 @@ class SafeBrowsingBlockingPage : public SecurityInterstitialPage {
   friend class SafeBrowsingBlockingPageTest;
   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingBlockingPageTest,
                            ProceedThenDontProceed);
-  void SetReportingPreference(bool report);
+
   void UpdateReportingPref();  // Used for the transition from old to new pref.
 
   // Don't instantiate this class directly, use ShowBlockingPage instead.
@@ -124,10 +124,6 @@ class SafeBrowsingBlockingPage : public SecurityInterstitialPage {
   // enabled, the report is scheduled to be sent on the |ui_manager_|.
   void FinishMalwareDetails(int64 delay_ms);
 
-  // Returns the boolean value of the given |pref| from the PrefService of the
-  // Profile associated with |web_contents_|.
-  bool IsPrefEnabled(const char* pref);
-
   // A list of SafeBrowsingUIManager::UnsafeResource for a tab that the user
   // should be warned about.  They are queued when displaying more than one
   // interstitial at a time.
@@ -193,8 +189,6 @@ class SafeBrowsingBlockingPage : public SecurityInterstitialPage {
   std::string GetMetricPrefix() const;
   std::string GetSamplingEventName() const;
 
-  scoped_ptr<SecurityInterstitialMetricsHelper> metrics_helper_;
-
   DISALLOW_COPY_AND_ASSIGN(SafeBrowsingBlockingPage);
 };
 
diff --git a/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc b/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc
index ed8fad4f1b4c..e79310f10843 100644
--- a/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc
+++ b/chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc
@@ -690,7 +690,7 @@ IN_PROC_BROWSER_TEST_P(SafeBrowsingBlockingPageBrowserTest,
   if (expect_malware_details)
     fake_malware_details->WaitForDOM();
 
-  EXPECT_EQ(VISIBLE, GetVisibility("malware-opt-in"));
+  EXPECT_EQ(VISIBLE, GetVisibility("extended-reporting-opt-in"));
   EXPECT_TRUE(Click("opt-in-checkbox"));
   EXPECT_TRUE(ClickAndWaitForDetach("proceed-link"));
   AssertNoInterstitial(true);  // Assert the interstitial is gone
@@ -765,7 +765,7 @@ IN_PROC_BROWSER_TEST_P(SafeBrowsingBlockingPageBrowserTest, ReportingDisabled) {
   ui_test_utils::NavigateToURL(browser(), url);
   ASSERT_TRUE(WaitForReady());
 
-  EXPECT_EQ(HIDDEN, GetVisibility("malware-opt-in"));
+  EXPECT_EQ(HIDDEN, GetVisibility("extended-reporting-opt-in"));
   EXPECT_EQ(HIDDEN, GetVisibility("opt-in-checkbox"));
   EXPECT_EQ(HIDDEN, GetVisibility("proceed-link"));
   EXPECT_TRUE(Click("details-button"));
diff --git a/chrome/browser/safe_browsing/ui_manager.cc b/chrome/browser/safe_browsing/ui_manager.cc
index 45728d35409b..382d103a3626 100644
--- a/chrome/browser/safe_browsing/ui_manager.cc
+++ b/chrome/browser/safe_browsing/ui_manager.cc
@@ -26,6 +26,7 @@
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/web_contents.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
+#include "net/ssl/ssl_info.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
 
@@ -213,6 +214,19 @@ void SafeBrowsingUIManager::ReportSafeBrowsingHit(
                  threat_type, post_data));
 }
 
+void SafeBrowsingUIManager::ReportInvalidCertificateChain(
+    const std::string& hostname,
+    const net::SSLInfo& ssl_info,
+    const base::Closure& callback) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+  BrowserThread::PostTaskAndReply(
+      BrowserThread::IO, FROM_HERE,
+      base::Bind(
+          &SafeBrowsingUIManager::ReportInvalidCertificateChainOnIOThread, this,
+          hostname, ssl_info),
+      callback);
+}
+
 void SafeBrowsingUIManager::AddObserver(Observer* observer) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   observer_list_.AddObserver(observer);
@@ -246,6 +260,20 @@ void SafeBrowsingUIManager::ReportSafeBrowsingHitOnIOThread(
       threat_type, post_data);
 }
 
+void SafeBrowsingUIManager::ReportInvalidCertificateChainOnIOThread(
+    const std::string& hostname,
+    const net::SSLInfo& ssl_info) {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  // The service may delete the ping manager (i.e. when user disabling service,
+  // etc). This happens on the IO thread.
+  if (!sb_service_ || !sb_service_->ping_manager())
+    return;
+
+  sb_service_->ping_manager()->ReportInvalidCertificateChain(hostname,
+                                                             ssl_info);
+}
+
 // If the user had opted-in to send MalwareDetails, this gets called
 // when the report is ready.
 void SafeBrowsingUIManager::SendSerializedMalwareDetails(
@@ -305,4 +333,3 @@ bool SafeBrowsingUIManager::IsWhitelisted(const UnsafeResource& resource) {
   }
   return false;
 }
-
diff --git a/chrome/browser/safe_browsing/ui_manager.h b/chrome/browser/safe_browsing/ui_manager.h
index 543b1ab57284..42be1453cabf 100644
--- a/chrome/browser/safe_browsing/ui_manager.h
+++ b/chrome/browser/safe_browsing/ui_manager.h
@@ -24,7 +24,11 @@ class SafeBrowsingService;
 
 namespace base {
 class Thread;
-}
+}  // namespace base
+
+namespace net {
+class SSLInfo;
+}  // namespace net
 
 // Construction needs to happen on the main thread.
 class SafeBrowsingUIManager
@@ -124,6 +128,12 @@ class SafeBrowsingUIManager
                                      SBThreatType threat_type,
                                      const std::string& post_data);
 
+  // Report an invalid TLS/SSL certificate chain to the server. Can only
+  // be called on UI thread.
+  void ReportInvalidCertificateChain(const std::string& hostname,
+                                     const net::SSLInfo& ssl_info,
+                                     const base::Closure& callback);
+
   // Add and remove observers.  These methods must be invoked on the UI thread.
   void AddObserver(Observer* observer);
   void RemoveObserver(Observer* remove);
@@ -145,6 +155,10 @@ class SafeBrowsingUIManager
                                        SBThreatType threat_type,
                                        const std::string& post_data);
 
+  // Sends an invalid certificate chain report over the network.
+  void ReportInvalidCertificateChainOnIOThread(const std::string& hostname,
+                                               const net::SSLInfo& ssl_info);
+
   // Adds the given entry to the whitelist.  Called on the UI thread.
   void UpdateWhitelist(const UnsafeResource& resource);
 
diff --git a/chrome/browser/ssl/ssl_blocking_page.cc b/chrome/browser/ssl/ssl_blocking_page.cc
index 55f465cec865..e6083f8768ec 100644
--- a/chrome/browser/ssl/ssl_blocking_page.cc
+++ b/chrome/browser/ssl/ssl_blocking_page.cc
@@ -4,12 +4,16 @@
 
 #include "chrome/browser/ssl/ssl_blocking_page.h"
 
+#include "base/bind.h"
+#include "base/bind_helpers.h"
 #include "base/build_time.h"
+#include "base/callback_helpers.h"
 #include "base/command_line.h"
 #include "base/i18n/rtl.h"
 #include "base/i18n/time_formatting.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
+#include "base/prefs/pref_service.h"
 #include "base/process/launch.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
@@ -20,11 +24,14 @@
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chrome_notification_types.h"
+#include "chrome/browser/interstitials/security_interstitial_metrics_helper.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/renderer_preferences_util.h"
+#include "chrome/browser/safe_browsing/ui_manager.h"
 #include "chrome/browser/ssl/ssl_error_classification.h"
 #include "chrome/browser/ssl/ssl_error_info.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/pref_names.h"
 #include "chrome/grit/chromium_strings.h"
 #include "chrome/grit/generated_resources.h"
 #include "components/google/core/browser/google_util.h"
@@ -221,13 +228,15 @@ InterstitialPageDelegate::TypeID SSLBlockingPage::kTypeForTesting =
 
 // Note that we always create a navigation entry with SSL errors.
 // No error happening loading a sub-resource triggers an interstitial so far.
-SSLBlockingPage::SSLBlockingPage(content::WebContents* web_contents,
-                                 int cert_error,
-                                 const net::SSLInfo& ssl_info,
-                                 const GURL& request_url,
-                                 int options_mask,
-                                 const base::Time& time_triggered,
-                                 const base::Callback<void(bool)>& callback)
+SSLBlockingPage::SSLBlockingPage(
+    content::WebContents* web_contents,
+    int cert_error,
+    const net::SSLInfo& ssl_info,
+    const GURL& request_url,
+    int options_mask,
+    const base::Time& time_triggered,
+    SafeBrowsingUIManager* safe_browsing_ui_manager,
+    const base::Callback<void(bool)>& callback)
     : SecurityInterstitialPage(web_contents, request_url),
       callback_(callback),
       cert_error_(cert_error),
@@ -237,7 +246,8 @@ SSLBlockingPage::SSLBlockingPage(content::WebContents* web_contents,
       strict_enforcement_((options_mask & STRICT_ENFORCEMENT) != 0),
       expired_but_previously_allowed_(
           (options_mask & EXPIRED_BUT_PREVIOUSLY_ALLOWED) != 0),
-      time_triggered_(time_triggered) {
+      time_triggered_(time_triggered),
+      safe_browsing_ui_manager_(safe_browsing_ui_manager) {
   interstitial_reason_ =
       IsErrorDueToBadClock(time_triggered_, cert_error_) ?
       SSL_REASON_BAD_CLOCK : SSL_REASON_SSL;
@@ -245,15 +255,15 @@ SSLBlockingPage::SSLBlockingPage(content::WebContents* web_contents,
   // We collapse the Rappor metric name to just "ssl" so we don't leak
   // the "overridable" bit.  We skip Rappor altogether for bad clocks.
   // This must be done after calculating |interstitial_reason_| above.
-  metrics_helper_.reset(new SecurityInterstitialMetricsHelper(
+  set_metrics_helper(new SecurityInterstitialMetricsHelper(
       web_contents, request_url, GetUmaHistogramPrefix(), kSSLRapporPrefix,
       (interstitial_reason_ == SSL_REASON_BAD_CLOCK
            ? SecurityInterstitialMetricsHelper::SKIP_RAPPOR
            : SecurityInterstitialMetricsHelper::REPORT_RAPPOR),
       GetSamplingEventName()));
 
-  metrics_helper_->RecordUserDecision(SecurityInterstitialMetricsHelper::SHOW);
-  metrics_helper_->RecordUserInteraction(
+  metrics_helper()->RecordUserDecision(SecurityInterstitialMetricsHelper::SHOW);
+  metrics_helper()->RecordUserInteraction(
       SecurityInterstitialMetricsHelper::TOTAL_VISITS);
 
   ssl_error_classification_.reset(new SSLErrorClassification(
@@ -285,7 +295,7 @@ SSLBlockingPage::~SSLBlockingPage() {
   if (!callback_.is_null()) {
     // The page is closed without the user having chosen what to do, default to
     // deny.
-    metrics_helper_->RecordUserDecision(
+    metrics_helper()->RecordUserDecision(
         SecurityInterstitialMetricsHelper::DONT_PROCEED);
     RecordSSLExpirationPageEventState(
         expired_but_previously_allowed_, false, overridable_);
@@ -439,6 +449,34 @@ void SSLBlockingPage::PopulateInterstitialStrings(
       &encoded_chain);
   load_time_data->SetString(
       "pem", JoinString(encoded_chain, std::string()));
+
+  PopulateExtendedReportingOption(load_time_data);
+}
+
+void SSLBlockingPage::PopulateExtendedReportingOption(
+    base::DictionaryValue* load_time_data) {
+  // Only show the checkbox if not off-the-record and if the
+  // command-line option is set.
+  const bool show = !web_contents()->GetBrowserContext()->IsOffTheRecord() &&
+                    base::CommandLine::ForCurrentProcess()->HasSwitch(
+                        switches::kEnableInvalidCertCollection);
+
+  load_time_data->SetBoolean(interstitials::kDisplayCheckBox, show);
+  if (!show)
+    return;
+
+  load_time_data->SetBoolean(
+      interstitials::kBoxChecked,
+      IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled));
+
+  const std::string privacy_link = base::StringPrintf(
+      interstitials::kPrivacyLinkHtml, CMD_OPEN_REPORTING_PRIVACY,
+      l10n_util::GetStringUTF8(IDS_SAFE_BROWSING_PRIVACY_POLICY_PAGE).c_str());
+
+  load_time_data->SetString(
+      interstitials::kOptInLink,
+      l10n_util::GetStringFUTF16(IDS_SAFE_BROWSING_MALWARE_REPORTING_AGREE,
+                                 base::UTF8ToUTF16(privacy_link)));
 }
 
 void SSLBlockingPage::OverrideEntry(NavigationEntry* entry) {
@@ -453,6 +491,11 @@ void SSLBlockingPage::OverrideEntry(NavigationEntry* entry) {
   entry->GetSSL().security_bits = ssl_info_.security_bits;
 }
 
+void SSLBlockingPage::SetCertificateReportCallbackForTesting(
+    const base::Closure& callback) {
+  certificate_report_callback_for_testing_ = callback;
+}
+
 // This handles the commands sent from the interstitial JavaScript.
 // DO NOT reorder or change this logic without also changing the JavaScript!
 void SSLBlockingPage::CommandReceived(const std::string& command) {
@@ -476,13 +519,21 @@ void SSLBlockingPage::CommandReceived(const std::string& command) {
       }
       break;
     }
+    case CMD_DO_REPORT: {
+      SetReportingPreference(true);
+      break;
+    }
+    case CMD_DONT_REPORT: {
+      SetReportingPreference(false);
+      break;
+    }
     case CMD_SHOW_MORE_SECTION: {
-      metrics_helper_->RecordUserInteraction(
+      metrics_helper()->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::SHOW_ADVANCED);
       break;
     }
     case CMD_OPEN_HELP_CENTER: {
-      metrics_helper_->RecordUserInteraction(
+      metrics_helper()->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::SHOW_LEARN_MORE);
       content::NavigationController::LoadURLParams help_page_params(
           google_util::AppendGoogleLocaleParam(
@@ -491,25 +542,24 @@ void SSLBlockingPage::CommandReceived(const std::string& command) {
       break;
     }
     case CMD_RELOAD: {
-      metrics_helper_->RecordUserInteraction(
+      metrics_helper()->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::RELOAD);
       // The interstitial can't refresh itself.
       web_contents()->GetController().Reload(true);
       break;
     }
     case CMD_OPEN_DATE_SETTINGS: {
-      metrics_helper_->RecordUserInteraction(
+      metrics_helper()->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::OPEN_TIME_SETTINGS);
       content::BrowserThread::PostTask(content::BrowserThread::FILE, FROM_HERE,
                                        base::Bind(&LaunchDateAndTimeSettings));
       break;
     }
+    case CMD_OPEN_REPORTING_PRIVACY:
+      OpenExtendedReportingPrivacyPolicy();
+      break;
     case CMD_OPEN_DIAGNOSTIC:
       // Google doesn't currently have a transparency report for SSL.
-    case CMD_DO_REPORT:
-    case CMD_DONT_REPORT:
-    case CMD_OPEN_REPORTING_PRIVACY:
-      // Chrome doesn't currently do Extended Reporting for SSL.
       NOTREACHED() << "Unexpected command: " << command;
   }
 }
@@ -523,8 +573,13 @@ void SSLBlockingPage::OverrideRendererPrefs(
 }
 
 void SSLBlockingPage::OnProceed() {
-  metrics_helper_->RecordUserDecision(
+  metrics_helper()->RecordUserDecision(
       SecurityInterstitialMetricsHelper::PROCEED);
+
+  // Finish collecting information about invalid certificates, if the
+  // user opted in to.
+  FinishCertCollection();
+
   RecordSSLExpirationPageEventState(
       expired_but_previously_allowed_, true, overridable_);
   // Accepting the certificate resumes the loading of the page.
@@ -532,8 +587,13 @@ void SSLBlockingPage::OnProceed() {
 }
 
 void SSLBlockingPage::OnDontProceed() {
-  metrics_helper_->RecordUserDecision(
+  metrics_helper()->RecordUserDecision(
       SecurityInterstitialMetricsHelper::DONT_PROCEED);
+
+  // Finish collecting information about invalid certificates, if the
+  // user opted in to.
+  FinishCertCollection();
+
   RecordSSLExpirationPageEventState(
       expired_but_previously_allowed_, false, overridable_);
   NotifyDenyCertificate();
@@ -581,6 +641,32 @@ std::string SSLBlockingPage::GetSamplingEventName() const {
   return event_name;
 }
 
+void SSLBlockingPage::FinishCertCollection() {
+  base::ScopedClosureRunner scoped_callback(
+      certificate_report_callback_for_testing_);
+
+  if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableInvalidCertCollection) ||
+      web_contents()->GetBrowserContext()->IsOffTheRecord()) {
+    return;
+  }
+
+  const bool enabled =
+      IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled);
+
+  if (!enabled)
+    return;
+
+  metrics_helper()->RecordUserInteraction(
+      SecurityInterstitialMetricsHelper::EXTENDED_REPORTING_IS_ENABLED);
+
+  if (certificate_report_callback_for_testing_.is_null())
+    scoped_callback.Reset(base::Bind(&base::DoNothing));
+
+  safe_browsing_ui_manager_->ReportInvalidCertificateChain(
+      request_url().host(), ssl_info_, scoped_callback.Release());
+}
+
 // static
 bool SSLBlockingPage::IsOptionsOverridable(int options_mask) {
   return (options_mask & SSLBlockingPage::OVERRIDABLE) &&
diff --git a/chrome/browser/ssl/ssl_blocking_page.h b/chrome/browser/ssl/ssl_blocking_page.h
index 4b9b7f184cbf..1ce1ad823908 100644
--- a/chrome/browser/ssl/ssl_blocking_page.h
+++ b/chrome/browser/ssl/ssl_blocking_page.h
@@ -12,7 +12,6 @@
 #include "base/strings/string16.h"
 #include "base/task/cancelable_task_tracker.h"
 #include "base/time/time.h"
-#include "chrome/browser/interstitials/security_interstitial_metrics_helper.h"
 #include "chrome/browser/interstitials/security_interstitial_page.h"
 #include "net/ssl/ssl_info.h"
 #include "url/gurl.h"
@@ -23,6 +22,7 @@ class ExperienceSamplingEvent;
 }
 #endif
 
+class SafeBrowsingUIManager;
 class SSLErrorClassification;
 
 // This class is responsible for showing/hiding the interstitial page that is
@@ -59,6 +59,7 @@ class SSLBlockingPage : public SecurityInterstitialPage {
                   const GURL& request_url,
                   int options_mask,
                   const base::Time& time_triggered,
+                  SafeBrowsingUIManager* safe_browsing_ui_manager,
                   const base::Callback<void(bool)>& callback);
 
   // InterstitialPageDelegate method:
@@ -67,6 +68,10 @@ class SSLBlockingPage : public SecurityInterstitialPage {
   // Returns true if |options_mask| refers to an overridable SSL error.
   static bool IsOptionsOverridable(int options_mask);
 
+  // Allows tests to be notified when an invalid cert chain report has
+  // been sent (or not sent).
+  void SetCertificateReportCallbackForTesting(const base::Closure& callback);
+
  protected:
   // InterstitialPageDelegate implementation.
   void CommandReceived(const std::string& command) override;
@@ -80,6 +85,8 @@ class SSLBlockingPage : public SecurityInterstitialPage {
   void PopulateInterstitialStrings(
       base::DictionaryValue* load_time_data) override;
 
+  void PopulateExtendedReportingOption(base::DictionaryValue* load_time_data);
+
  private:
   void NotifyDenyCertificate();
   void NotifyAllowCertificate();
@@ -87,6 +94,10 @@ class SSLBlockingPage : public SecurityInterstitialPage {
   std::string GetUmaHistogramPrefix() const;
   std::string GetSamplingEventName() const;
 
+  // Send a report about an invalid certificate to the server. Takes
+  // care of calling certificate_report_callback_for_testing_.
+  void FinishCertCollection();
+
   base::Callback<void(bool)> callback_;
 
   const int cert_error_;
@@ -106,11 +117,20 @@ class SSLBlockingPage : public SecurityInterstitialPage {
   // expired?
   const bool expired_but_previously_allowed_;
   scoped_ptr<SSLErrorClassification> ssl_error_classification_;
-  scoped_ptr<SecurityInterstitialMetricsHelper> metrics_helper_;
+
   // The time at which the interstitial was triggered. The interstitial
   // calculates all times relative to this.
   const base::Time time_triggered_;
 
+  // For reporting invalid SSL certificates as part of Safe Browsing
+  // Extended Reporting.
+  SafeBrowsingUIManager* safe_browsing_ui_manager_;
+
+  // This callback is run when an extended reporting certificate chain
+  // report has been sent, or when it is decided that it should not be
+  // sent (for example, when in incognito mode).
+  base::Closure certificate_report_callback_for_testing_;
+
   // Which type of interstitial this is.
   enum SSLInterstitialReason {
     SSL_REASON_SSL,
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc
index 841c4b26442f..ba69fe78eb8b 100644
--- a/chrome/browser/ssl/ssl_browser_tests.cc
+++ b/chrome/browser/ssl/ssl_browser_tests.cc
@@ -12,9 +12,13 @@
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
 #include "chrome/app/chrome_command_ids.h"
+#include "chrome/browser/browser_process.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
+#include "chrome/browser/net/certificate_error_reporter.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/safe_browsing/ping_manager.h"
+#include "chrome/browser/safe_browsing/safe_browsing_service.h"
 #include "chrome/browser/ssl/ssl_blocking_page.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_commands.h"
@@ -49,6 +53,7 @@
 #include "net/cert/x509_certificate.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/spawned_test_server/spawned_test_server.h"
+#include "net/url_request/url_request_context.h"
 
 #if defined(USE_NSS)
 #include "chrome/browser/net/nss_context.h"
@@ -58,6 +63,7 @@
 
 using base::ASCIIToUTF16;
 using chrome_browser_interstitials::SecurityInterstitialIDNTest;
+using chrome_browser_net::CertificateErrorReporter;
 using content::InterstitialPage;
 using content::NavigationController;
 using content::NavigationEntry;
@@ -174,6 +180,48 @@ void CheckSecurityState(WebContents* tab,
   AuthState::Check(*entry, expected_authentication_state);
 }
 
+namespace CertificateReporting {
+
+enum OptIn { EXTENDED_REPORTING_OPT_IN, EXTENDED_REPORTING_DO_NOT_OPT_IN };
+
+enum Proceed { SSL_INTERSTITIAL_PROCEED, SSL_INTERSTITIAL_DO_NOT_PROCEED };
+
+enum ExpectReport { CERT_REPORT_EXPECTED, CERT_REPORT_NOT_EXPECTED };
+
+// This class is used to test invalid certificate chain reporting when
+// the user opts in to do so on the interstitial.
+class MockReporter : public CertificateErrorReporter {
+ public:
+  explicit MockReporter(net::URLRequestContext* request_context,
+                        const GURL& upload_url,
+                        CookiesPreference cookies_preference)
+      : CertificateErrorReporter(request_context,
+                                 upload_url,
+                                 cookies_preference) {}
+
+  void SendReport(CertificateErrorReporter::ReportType type,
+                  const std::string& hostname,
+                  const net::SSLInfo& ssl_info) override {
+    EXPECT_EQ(CertificateErrorReporter::REPORT_TYPE_EXTENDED_REPORTING, type);
+    latest_hostname_reported_ = hostname;
+  }
+
+  const std::string& latest_hostname_reported() {
+    return latest_hostname_reported_;
+  }
+
+ private:
+  std::string latest_hostname_reported_;
+};
+
+void SetUpMockReporter(SafeBrowsingService* safe_browsing_service,
+                       MockReporter* reporter) {
+  safe_browsing_service->ping_manager()->SetCertificateErrorReporterForTesting(
+      scoped_ptr<CertificateErrorReporter>(reporter));
+}
+
+}  // namespace CertificateReporting
+
 }  // namespace
 
 class SSLUITest : public InProcessBrowserTest {
@@ -192,6 +240,24 @@ class SSLUITest : public InProcessBrowserTest {
                             SSLOptions(SSLOptions::CERT_EXPIRED),
                             net::GetWebSocketTestDataDirectory()) {}
 
+  void SetUpOnMainThread() override {
+    // Set up the mock reporter to track the hostnames that reports get
+    // sent for. The request_context argument is NULL here
+    // because the MockReporter doesn't actually use a
+    // request_context. (In order to pass a real request_context, the
+    // reporter would have to be constructed on the IO thread.)
+    reporter_ = new CertificateReporting::MockReporter(
+        NULL, GURL("http://example.test"),
+        CertificateReporting::MockReporter::DO_NOT_SEND_COOKIES);
+    scoped_refptr<SafeBrowsingService> safe_browsing_service =
+        g_browser_process->safe_browsing_service();
+    ASSERT_TRUE(safe_browsing_service);
+    content::BrowserThread::PostTask(
+        content::BrowserThread::IO, FROM_HERE,
+        base::Bind(CertificateReporting::SetUpMockReporter,
+                   safe_browsing_service, reporter_));
+  }
+
   void SetUpCommandLine(base::CommandLine* command_line) override {
     // Browser will both run and display insecure content.
     command_line->AppendSwitch(switches::kAllowRunningInsecureContent);
@@ -356,6 +422,57 @@ class SSLUITest : public InProcessBrowserTest {
         page_with_unsafe_worker_path);
   }
 
+  // Helper function for testing invalid certificate chain reporting.
+  void TestBrokenHTTPSReporting(
+      CertificateReporting::OptIn opt_in,
+      CertificateReporting::Proceed proceed,
+      CertificateReporting::ExpectReport expect_report,
+      Browser* browser) {
+    ASSERT_TRUE(https_server_expired_.Start());
+
+    // Opt in to sending reports for invalid certificate chains.
+    browser->profile()->GetPrefs()->SetBoolean(
+        prefs::kSafeBrowsingExtendedReportingEnabled,
+        opt_in == CertificateReporting::EXTENDED_REPORTING_OPT_IN);
+
+    ui_test_utils::NavigateToURL(browser, https_server_expired_.GetURL("/"));
+
+    WebContents* tab = browser->tab_strip_model()->GetActiveWebContents();
+    CheckAuthenticationBrokenState(tab, net::CERT_STATUS_DATE_INVALID,
+                                   AuthState::SHOWING_INTERSTITIAL);
+
+    // Set up a callback so that the test is notified when the report
+    // has been sent on the IO thread (or not sent).
+    base::RunLoop report_run_loop;
+    base::Closure report_callback = report_run_loop.QuitClosure();
+    SSLBlockingPage* interstitial_page = static_cast<SSLBlockingPage*>(
+        tab->GetInterstitialPage()->GetDelegateForTesting());
+    interstitial_page->SetCertificateReportCallbackForTesting(report_callback);
+
+    EXPECT_EQ(std::string(), reporter_->latest_hostname_reported());
+
+    // Leave the interstitial (either by proceeding or going back)
+    if (proceed == CertificateReporting::SSL_INTERSTITIAL_PROCEED) {
+      ProceedThroughInterstitial(tab);
+    } else {
+      // Click "Take me back"
+      InterstitialPage* interstitial_page = tab->GetInterstitialPage();
+      ASSERT_TRUE(interstitial_page);
+      interstitial_page->DontProceed();
+    }
+
+    // Wait until the report has been sent on the IO thread.
+    report_run_loop.Run();
+
+    if (expect_report == CertificateReporting::CERT_REPORT_EXPECTED) {
+      // Check that the mock reporter received a request to send a report.
+      EXPECT_EQ(https_server_expired_.GetURL("/").host(),
+                reporter_->latest_hostname_reported());
+    } else {
+      EXPECT_EQ(std::string(), reporter_->latest_hostname_reported());
+    }
+  }
+
   net::SpawnedTestServer https_server_;
   net::SpawnedTestServer https_server_expired_;
   net::SpawnedTestServer https_server_mismatched_;
@@ -363,6 +480,7 @@ class SSLUITest : public InProcessBrowserTest {
 
  private:
   typedef net::SpawnedTestServer::SSLOptions SSLOptions;
+  CertificateReporting::MockReporter* reporter_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLUITest);
 };
@@ -397,6 +515,17 @@ class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest {
   }
 };
 
+class SSLUITestWithExtendedReporting : public SSLUITest {
+ public:
+  SSLUITestWithExtendedReporting() : SSLUITest() {}
+
+  void SetUpCommandLine(base::CommandLine* command_line) override {
+    // Enable a checkbox on SSL interstitials that allows users to opt
+    // in to reporting invalid certificate chains.
+    command_line->AppendSwitch(switches::kEnableInvalidCertCollection);
+  }
+};
+
 // Visits a regular page over http.
 IN_PROC_BROWSER_TEST_F(SSLUITest, TestHTTP) {
   ASSERT_TRUE(test_server()->Start());
@@ -994,6 +1123,73 @@ IN_PROC_BROWSER_TEST_F(SSLUITest, MAYBE_TestDisplaysInsecureContent) {
                           AuthState::DISPLAYED_INSECURE_CONTENT);
 }
 
+// Test that when the checkbox is checked and the user proceeds through
+// the interstitial, the FraudulentCertificateReporter sees a request to
+// send a report.
+IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
+                       TestBrokenHTTPSProceedWithReporting) {
+  TestBrokenHTTPSReporting(CertificateReporting::EXTENDED_REPORTING_OPT_IN,
+                           CertificateReporting::SSL_INTERSTITIAL_PROCEED,
+                           CertificateReporting::CERT_REPORT_EXPECTED,
+                           browser());
+}
+
+// Test that when the checkbox is checked and the user goes back (does
+// not proceed through the interstitial), the
+// FraudulentCertificateReporter sees a request to send a report.
+IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
+                       TestBrokenHTTPSGoBackWithReporting) {
+  TestBrokenHTTPSReporting(
+      CertificateReporting::EXTENDED_REPORTING_OPT_IN,
+      CertificateReporting::SSL_INTERSTITIAL_DO_NOT_PROCEED,
+      CertificateReporting::CERT_REPORT_EXPECTED, browser());
+}
+
+// Test that when the checkbox is not checked and the user proceeds
+// through the interstitial, the FraudulentCertificateReporter does not
+// see a request to send a report.
+IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
+                       TestBrokenHTTPSProceedWithNoReporting) {
+  TestBrokenHTTPSReporting(
+      CertificateReporting::EXTENDED_REPORTING_DO_NOT_OPT_IN,
+      CertificateReporting::SSL_INTERSTITIAL_PROCEED,
+      CertificateReporting::CERT_REPORT_NOT_EXPECTED, browser());
+}
+
+// Test that when the checkbox is not checked and the user does not proceed
+// through the interstitial, the FraudulentCertificateReporter does not
+// see a request to send a report.
+IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
+                       TestBrokenHTTPSGoBackWithNoReporting) {
+  TestBrokenHTTPSReporting(
+      CertificateReporting::EXTENDED_REPORTING_DO_NOT_OPT_IN,
+      CertificateReporting::SSL_INTERSTITIAL_DO_NOT_PROCEED,
+      CertificateReporting::CERT_REPORT_NOT_EXPECTED, browser());
+}
+
+// Test that when the command-line switch for reporting invalid cert
+// chains is not enabled, reports don't get sent, even if the opt-in
+// preference is set. (i.e. if a user enables invalid cert collection in
+// chrome://flags, checks the box on an interstitial, and then disables
+// the flag in chrome://flags, reports shouldn't be sent on the next
+// interstitial).
+IN_PROC_BROWSER_TEST_F(SSLUITest, TestBrokenHTTPSNoReportingWithoutSwitch) {
+  TestBrokenHTTPSReporting(CertificateReporting::EXTENDED_REPORTING_OPT_IN,
+                           CertificateReporting::SSL_INTERSTITIAL_PROCEED,
+                           CertificateReporting::CERT_REPORT_NOT_EXPECTED,
+                           browser());
+}
+
+// Test that reports don't get sent in incognito mode even if the opt-in
+// preference is set and the command-line switch is enabled.
+IN_PROC_BROWSER_TEST_F(SSLUITestWithExtendedReporting,
+                       TestBrokenHTTPSNoReportingInIncognito) {
+  TestBrokenHTTPSReporting(CertificateReporting::EXTENDED_REPORTING_OPT_IN,
+                           CertificateReporting::SSL_INTERSTITIAL_PROCEED,
+                           CertificateReporting::CERT_REPORT_NOT_EXPECTED,
+                           CreateIncognitoBrowser());
+}
+
 // Visits a page that runs insecure content and tries to suppress the insecure
 // content warnings by randomizing location.hash.
 // Based on http://crbug.com/8706
@@ -1944,7 +2140,7 @@ class SSLBlockingPageIDNTest : public SecurityInterstitialIDNTest {
         request_url.host(), "CA", base::Time::Max(), base::Time::Max());
     return new SSLBlockingPage(
         contents, net::ERR_CERT_CONTAINS_ERRORS, ssl_info, request_url, 0,
-        base::Time::NowFromSystemTime(), base::Callback<void(bool)>());
+        base::Time::NowFromSystemTime(), nullptr, base::Callback<void(bool)>());
   }
 };
 
diff --git a/chrome/browser/ssl/ssl_error_handler.cc b/chrome/browser/ssl/ssl_error_handler.cc
index 4667c860720b..6e0cd4d85571 100644
--- a/chrome/browser/ssl/ssl_error_handler.cc
+++ b/chrome/browser/ssl/ssl_error_handler.cc
@@ -9,6 +9,7 @@
 #include "base/metrics/histogram.h"
 #include "base/time/time.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/safe_browsing/ui_manager.h"
 #include "chrome/browser/ssl/ssl_blocking_page.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_source.h"
@@ -89,6 +90,7 @@ void SSLErrorHandler::HandleSSLError(
     const net::SSLInfo& ssl_info,
     const GURL& request_url,
     int options_mask,
+    SafeBrowsingUIManager* safe_browsing_ui_manager,
     const base::Callback<void(bool)>& callback) {
 #if defined(ENABLE_CAPTIVE_PORTAL_DETECTION)
   CaptivePortalTabHelper* captive_portal_tab_helper =
@@ -98,10 +100,10 @@ void SSLErrorHandler::HandleSSLError(
   }
 #endif
   DCHECK(!FromWebContents(web_contents));
-  web_contents->SetUserData(UserDataKey(),
-                            new SSLErrorHandler(web_contents, cert_error,
-                                                ssl_info, request_url,
-                                                options_mask, callback));
+  web_contents->SetUserData(
+      UserDataKey(),
+      new SSLErrorHandler(web_contents, cert_error, ssl_info, request_url,
+                          options_mask, safe_browsing_ui_manager, callback));
 
   SSLErrorHandler* error_handler =
       SSLErrorHandler::FromWebContents(web_contents);
@@ -121,19 +123,22 @@ void SSLErrorHandler::SetInterstitialTimerStartedCallbackForTest(
   g_timer_started_callback = callback;
 }
 
-SSLErrorHandler::SSLErrorHandler(content::WebContents* web_contents,
-                                 int cert_error,
-                                 const net::SSLInfo& ssl_info,
-                                 const GURL& request_url,
-                                 int options_mask,
-                                 const base::Callback<void(bool)>& callback)
+SSLErrorHandler::SSLErrorHandler(
+    content::WebContents* web_contents,
+    int cert_error,
+    const net::SSLInfo& ssl_info,
+    const GURL& request_url,
+    int options_mask,
+    SafeBrowsingUIManager* safe_browsing_ui_manager,
+    const base::Callback<void(bool)>& callback)
     : content::WebContentsObserver(web_contents),
       web_contents_(web_contents),
       cert_error_(cert_error),
       ssl_info_(ssl_info),
       request_url_(request_url),
       options_mask_(options_mask),
-      callback_(callback) {
+      callback_(callback),
+      safe_browsing_ui_manager_(safe_browsing_ui_manager) {
 #if defined(ENABLE_CAPTIVE_PORTAL_DETECTION)
   Profile* profile = Profile::FromBrowserContext(
       web_contents->GetBrowserContext());
@@ -203,7 +208,7 @@ void SSLErrorHandler::ShowSSLInterstitial() {
             SHOW_SSL_INTERSTITIAL_NONOVERRIDABLE);
   (new SSLBlockingPage(web_contents_, cert_error_, ssl_info_, request_url_,
                        options_mask_, base::Time::NowFromSystemTime(),
-                       callback_))->Show();
+                       safe_browsing_ui_manager_, callback_))->Show();
   // Once an interstitial is displayed, no need to keep the handler around.
   // This is the equivalent of "delete this".
   web_contents_->RemoveUserData(UserDataKey());
diff --git a/chrome/browser/ssl/ssl_error_handler.h b/chrome/browser/ssl/ssl_error_handler.h
index 4679f4ac1b3c..c069b47a5562 100644
--- a/chrome/browser/ssl/ssl_error_handler.h
+++ b/chrome/browser/ssl/ssl_error_handler.h
@@ -23,6 +23,8 @@ class RenderViewHost;
 class WebContents;
 }
 
+class SafeBrowsingUIManager;
+
 // This class is responsible for deciding whether to show an SSL warning or a
 // captive portal error page. It makes this decision by delaying the display of
 // SSL interstitial for a few seconds (2 by default), and waiting for a captive
@@ -51,6 +53,7 @@ class SSLErrorHandler : public content::WebContentsUserData<SSLErrorHandler>,
                              const net::SSLInfo& ssl_info,
                              const GURL& request_url,
                              int options_mask,
+                             SafeBrowsingUIManager* safe_browsing_ui_manager,
                              const base::Callback<void(bool)>& callback);
 
   static void SetInterstitialDelayTypeForTest(InterstitialDelayType delay);
@@ -65,6 +68,7 @@ class SSLErrorHandler : public content::WebContentsUserData<SSLErrorHandler>,
                   const net::SSLInfo& ssl_info,
                   const GURL& request_url,
                   int options_mask,
+                  SafeBrowsingUIManager* safe_browsing_ui_manager,
                   const base::Callback<void(bool)>& callback);
 
   ~SSLErrorHandler() override;
@@ -108,6 +112,8 @@ class SSLErrorHandler : public content::WebContentsUserData<SSLErrorHandler>,
   content::NotificationRegistrar registrar_;
   base::OneShotTimer<SSLErrorHandler> timer_;
 
+  SafeBrowsingUIManager* safe_browsing_ui_manager_;
+
   DISALLOW_COPY_AND_ASSIGN(SSLErrorHandler);
 };
 
diff --git a/chrome/browser/ssl/ssl_error_handler_unittest.cc b/chrome/browser/ssl/ssl_error_handler_unittest.cc
index 96ef738c2afd..e93908e9cf78 100644
--- a/chrome/browser/ssl/ssl_error_handler_unittest.cc
+++ b/chrome/browser/ssl/ssl_error_handler_unittest.cc
@@ -29,12 +29,12 @@ class TestSSLErrorHandler : public SSLErrorHandler {
                         ssl_info,
                         GURL(),
                         0,
+                        nullptr,
                         base::Callback<void(bool)>()),
         profile_(profile),
         captive_portal_checked_(false),
         ssl_interstitial_shown_(false),
-        captive_portal_interstitial_shown_(false) {
-  }
+        captive_portal_interstitial_shown_(false) {}
 
   ~TestSSLErrorHandler() override {
   }
diff --git a/chrome/browser/ui/webui/interstitials/interstitial_ui.cc b/chrome/browser/ui/webui/interstitials/interstitial_ui.cc
index 5148eda3f0e4..31a98bef8aff 100644
--- a/chrome/browser/ui/webui/interstitials/interstitial_ui.cc
+++ b/chrome/browser/ui/webui/interstitials/interstitial_ui.cc
@@ -94,13 +94,9 @@ SSLBlockingPage* CreateSSLBlockingPage(content::WebContents* web_contents) {
     options_mask |= SSLBlockingPage::OVERRIDABLE;
   if (strict_enforcement)
     options_mask |= SSLBlockingPage::STRICT_ENFORCEMENT;
-  return new SSLBlockingPage(web_contents,
-                              cert_error,
-                              ssl_info,
-                              request_url,
-                              options_mask,
-                              time_triggered_,
-                              base::Callback<void(bool)>());
+  return new SSLBlockingPage(web_contents, cert_error, ssl_info, request_url,
+                             options_mask, time_triggered_, nullptr,
+                             base::Callback<void(bool)>());
 }
 
 SafeBrowsingBlockingPage* CreateSafeBrowsingBlockingPage(
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index efb1d63750ff..3edff1d9c494 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -457,6 +457,9 @@ const char kEnableExtensionActivityLogTesting[] =
 // crbug.com/142458 .
 const char kEnableFastUnload[]         = "enable-fast-unload";
 
+// Enable opt-in for the collection of invalid TLS/SSL certificate chains.
+const char kEnableInvalidCertCollection[] = "enable-invalid-cert-collection";
+
 // Enables IPv6 support, even if probes suggest that it may not be fully
 // supported. Some probes may require internet connections, and this flag will
 // allow support independent of application testing. This flag overrides
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index 2cd091227c36..05ab1bd6c6e5 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -134,6 +134,7 @@ extern const char kEnableExperimentalHotwordHardware[];
 extern const char kEnableExtensionActivityLogging[];
 extern const char kEnableExtensionActivityLogTesting[];
 extern const char kEnableFastUnload[];
+extern const char kEnableInvalidCertCollection[];
 extern const char kEnableIPv6[];
 extern const char kEnableLinkableEphemeralApps[];
 extern const char kEnableMaterialDesignSettings[];
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index 8acabf75928c..60b080021e5d 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -32007,6 +32007,10 @@ Therefore, the affected-histogram name has to have at least one dot in it.
 </histogram>
 
 <histogram name="SB2.ExtendedReportingIsEnabled" enum="BooleanEnabled">
+  <obsolete>
+    Deprecated 03/2015. Replaced by
+    SecurityInterstitialInteraction::EXTENDED_REPORTING_IS_ENABLED.
+  </obsolete>
   <owner>felt@chromium.org</owner>
   <summary>
     Whether the user has Safe Browsing extended reporting enabled at the time a
@@ -32471,6 +32475,10 @@ Therefore, the affected-histogram name has to have at least one dot in it.
 </histogram>
 
 <histogram name="SB2.SetExtendedReportingEnabled" enum="BooleanEnabled">
+  <obsolete>
+    Deprecated 03/2015. Replaced by
+    SecurityInterstitialInteraction::SET_EXTENDED_REPORTING_ENABLED.
+  </obsolete>
   <owner>felt@chromium.org</owner>
   <summary>
     Tracks changes to the Safe Browsing extended reporting opt-in which is shown
@@ -53605,6 +53613,7 @@ To add a new entry, add it with any value and run test to compute valid value.
   <int value="1900529524" label="disable-touch-drag-drop"/>
   <int value="1906942630" label="enable-easy-unlock"/>
   <int value="1930901873" label="disable-sync-app-list"/>
+  <int value="1939413645" label="enable-invalid-cert-collection"/>
   <int value="1944156526" label="sync-url"/>
   <int value="1961425320" label="force-qtkit"/>
   <int value="1966730288" label="disable-threaded-compositing"/>
@@ -59281,6 +59290,9 @@ To add a new entry, add it with any value and run test to compute valid value.
   <int value="4" label="SHOW_LEARN_MORE"/>
   <int value="5" label="RELOAD"/>
   <int value="6" label="OPEN_TIME_SETTINGS"/>
+  <int value="7" label="SET_EXTENDED_REPORTING_ENABLED"/>
+  <int value="8" label="SET_EXTENDED_REPORTING_DISABLED"/>
+  <int value="9" label="EXTENDED_REPORTING_IS_ENABLED"/>
 </enum>
 
 <enum name="ServiceProcessEventType" type="int">
-- 
2.11.4.GIT