Welcome to the staging ground for new communities! Each proposal has a description in the "Descriptions" category and a body of questions and answers in "Incubator Q&A". You can ask questions (and get answers, we hope!) right away, and start new proposals.
Are certificate errors always reported immediately, or is validation cached? Question
I visited a site that I use infrequently and got a certificate error, specifically NET:ERR_CERT_AUTHORITY_INVALID. I contacted the owner, who asked for a screenshot. That surprised me, as I had assumed that a certificate problem would be visible to everyone. I tested three browsers across two devices and saw the same problem everywhere -- but I also hadn't visited this site recently from any of them. The owner presumably visits it a lot.
Is certificate validation cached client-side? If so, for how long, and how can a user flush or bypass it?
I can think of two reasons to want to flush such a cache and force a recheck. One is if I'm the owner of the site and want to check that everything's ok (the situation that prompted this question). The other is if I'm a cautious user who wants to double-check that, say, my bank doesn't have security issues before I log in -- a scenario that hadn't occurred to me before seeing this error that a site owner doesn't see.
1 answer
I believe the normal "best" way to check a certificate is to connect to the site using one of the CLI clients in the OpenSSL software suite, which is normally installed on Linux machines because many programs rely on it to handle TLS (the technology which superseded SSL, even though the obsolete term SSL is still used in many places).
I am not aware of any SSL caching. Every time you connect to the server (ie. every button click, every image load, every page) you are potentially getting an impersonator from MITM or similar. So each and every connection (=web request) must undergo TLS verification again and again. Caching would create a security hole, unless you had some way of reliably identifying that it's the same host as one you've already verified... But TLS is the way to verify identity, so that would be circular.
Browsers can sometimes remember the user's decision to ignore a TLS error. There will normally be some section of the browser settings where the TLS exceptions are buried. This will still check the cert every time, but the browser will disregard the outcome. Every browser is different, but notably Firefox has its own set of certs built in, while others usually rely on the OS's store.
A CLI program like curl or httpie does not have such a TLS exception feature so it is a bit simpler. I believe curl uses the OS cert store, while httpie relies on Python's own cert store (from the pip package certifi).
It is hard to prove a negative, so if I assert here that TLS is not cached, it may turn out to be wrong because some program I don't know about does cache. But hopefully the above illuminates the situation regardless.
if I'm the owner of the site and want to check that everything's ok (the situation that prompted this question).
The easy way to check this is to simply download the certificate your web-server is serving, compare it to the one it should be serving (eg. with md5), and also inspect the fields of the certificate using a certificate viewer of your choice. I don't think you need to worry much about caching, but you could simply open the site with a VPN or proxy.
The other is if I'm a cautious user who wants to double-check that, say, my bank doesn't have security issues before I log in
If I understand correctly, it is the normal operation of TLS for your browser to check it automatically.
2 comment threads