Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Descriptions Incubator Q&A Meta
Incubator Q&A
Posts Tags Edits
Create Post

Welcome to the staging ground for new communities! Each proposal has a description in the "Descriptions" category and a body of questions and answers in "Incubator Q&A". You can ask questions (and get answers, we hope!) right away, and start new proposals.

Comments on Are certificate errors always reported immediately, or is validation cached?

Post

Are certificate errors always reported immediately, or is validation cached? Question

+2
−0

I visited a site that I use infrequently and got a certificate error, specifically NET:ERR_CERT_AUTHORITY_INVALID. I contacted the owner, who asked for a screenshot. That surprised me, as I had assumed that a certificate problem would be visible to everyone. I tested three browsers across two devices and saw the same problem everywhere -- but I also hadn't visited this site recently from any of them. The owner presumably visits it a lot.

Is certificate validation cached client-side? If so, for how long, and how can a user flush or bypass it?

I can think of two reasons to want to flush such a cache and force a recheck. One is if I'm the owner of the site and want to check that everything's ok (the situation that prompted this question). The other is if I'm a cautious user who wants to double-check that, say, my bank doesn't have security issues before I log in -- a scenario that hadn't occurred to me before seeing this error that a site owner doesn't see.

Webmasters certificates
posted 5 months ago
user card
Monica Cellio‭ staff
29 189 46
History
Why does this post require moderator attention?
You might want to add some details to your flag.
Why should this post be closed?

2 comment threads

Certificate chain error visibility (1 comment)
CA Invalid? O_o (2 comments)
Certificate chain error visibility
Canina‭ wrote 3 months ago
copy link

Not an answer, but:

It's not necessarily so that a certificate chain problem will be equally visible to everyone.

If a site is fronted by a content delivery network, they are likely to do TLS termination. The backend connection between them and the actual servers may then be HTTP or HTTPS, and if HTTPS almost certainly won't be affected by any issues displayed in your browser.

Your (or the site owner's) ISP, public WiFi network, workplace (probably the most common), VPN provider or even country might be doing TLS interception and termination. If this happens then the certificate seen by your browser is likely to be different from that seen by the site owner.

Providing information on the leaf certificate (as seen by your browser) -- at least its serial number, validity period and fingerprint values -- will allow the site owner to confirm whether the certificate you're seeing is the same one they're seeing and/or the same one they expect visitors to see.