Show something more useful than the number of bits in the cipher key.

For a very long time, the first element in the security section of the
Connection dialog says something like:
  "Your connection to example.com is encrypted with 128-bit encryption"

This is useless because it makes people think that 256 bits must be better than
128. But AES-256-CBC is 256 bits and it's far worse than AES-128-GCM.

Also, we had a different message for when bits <= 80, but we don't support any
of those ciphers any longer so that could never be triggered.

This change switches the message to simply say wheather the cipher suite is
decent or legacy. We use the same judgement function as the one for deciding
whether a TLS connection is acceptable for HTTP/2. Basically, >= TLS 1.2,
forward secure and using an AEAD cipher.

Since this text is two clicks down, users will probably never see it. But I'll
stop being annoyed every time I see the old message.

BUG=none
R=felt@chromium.org

Review URL: https://codereview.chromium.org/703143003

Cr-Commit-Position: refs/heads/master@{#303935}
diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index 7481cc5..0c57440 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -9494,10 +9494,10 @@
       </message>
 
       <message name="IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT" desc="The text of the connection section when the connection is encrypted.">
-        Your connection to <ph name="DOMAIN">$1<ex>www.google.com</ex></ph> is encrypted with <ph name="BIT_COUNT">$2<ex>128</ex></ph>-bit encryption.
+        Your connection to <ph name="DOMAIN">$1<ex>www.google.com</ex></ph> is encrypted with modern cryptography.
       </message>
       <message name="IDS_PAGE_INFO_SECURITY_TAB_WEAK_ENCRYPTION_CONNECTION_TEXT" desc="The text of the connection section when the connection uses weak encryption.">
-        Your connection to <ph name="DOMAIN">$1<ex>www.google.com</ex></ph> is encrypted with weak encryption.
+        Your connection to <ph name="DOMAIN">$1<ex>www.google.com</ex></ph> is encrypted with obsolete cryptography.
       </message>
       <message name="IDS_PAGE_INFO_SECURITY_TAB_NOT_ENCRYPTED_CONNECTION_TEXT" desc="The text of the connection section when the connection is not encrypted.">
         Your connection to <ph name="DOMAIN">$1<ex>www.google.com</ex></ph> is not encrypted.
diff --git a/chrome/browser/ui/website_settings/website_settings.cc b/chrome/browser/ui/website_settings/website_settings.cc
index ac71f0eb..bbef28d 100644
--- a/chrome/browser/ui/website_settings/website_settings.cc
+++ b/chrome/browser/ui/website_settings/website_settings.cc
@@ -547,17 +547,22 @@
     site_connection_details_.assign(l10n_util::GetStringFUTF16(
         IDS_PAGE_INFO_SECURITY_TAB_NOT_ENCRYPTED_CONNECTION_TEXT,
         subject_name));
-  } else if (ssl.security_bits < 80) {
-    site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
-    site_connection_details_.assign(l10n_util::GetStringFUTF16(
-        IDS_PAGE_INFO_SECURITY_TAB_WEAK_ENCRYPTION_CONNECTION_TEXT,
-        subject_name));
   } else {
     site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED;
-    site_connection_details_.assign(l10n_util::GetStringFUTF16(
-        IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT,
-        subject_name,
-        base::IntToString16(ssl.security_bits)));
+
+    if (net::SSLConnectionStatusToVersion(ssl.connection_status) >=
+            net::SSL_CONNECTION_VERSION_TLS1_2 &&
+        net::IsSecureTLSCipherSuite(
+            net::SSLConnectionStatusToCipherSuite(ssl.connection_status))) {
+      site_connection_details_.assign(l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT,
+          subject_name));
+    } else {
+      site_connection_details_.assign(l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_WEAK_ENCRYPTION_CONNECTION_TEXT,
+          subject_name));
+    }
+
     if (ssl.content_status) {
       bool ran_insecure_content =
           !!(ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT);
diff --git a/chrome/browser/ui/website_settings/website_settings_unittest.cc b/chrome/browser/ui/website_settings/website_settings_unittest.cc
index 4e67c9f..480cd89 100644
--- a/chrome/browser/ui/website_settings/website_settings_unittest.cc
+++ b/chrome/browser/ui/website_settings/website_settings_unittest.cc
@@ -342,7 +342,7 @@
   ssl_.security_style = content::SECURITY_STYLE_AUTHENTICATED;
   ssl_.cert_id = cert_id();
   ssl_.cert_status = 0;
-  ssl_.security_bits = 1;
+  ssl_.security_bits = -1;
   int status = 0;
   status = SetSSLVersion(status, net::SSL_CONNECTION_VERSION_TLS1);
   status = SetSSLCipherSuite(status, CR_TLS_RSA_WITH_AES_256_CBC_SHA256);
diff --git a/net/ssl/ssl_cipher_suite_names.h b/net/ssl/ssl_cipher_suite_names.h
index 29c03a1..4e02fc634 100644
--- a/net/ssl/ssl_cipher_suite_names.h
+++ b/net/ssl/ssl_cipher_suite_names.h
@@ -55,7 +55,7 @@
 // Currently, this function follows these criteria:
 // 1) Only uses forward secure key exchanges
 // 2) Only uses AEADs
-NET_EXPORT_PRIVATE bool IsSecureTLSCipherSuite(uint16 cipher_suite);
+NET_EXPORT bool IsSecureTLSCipherSuite(uint16 cipher_suite);
 
 }  // namespace net