2

A website I frequent (a Discourse forum) uses Let's Encrypt TLS certificates which are updated every two months with a valid period of three months. But the certificate information shown by Chrome says that the certificate is out-of-date and invalid. Oddly, when you click the padlock icon it does still say "Certificate (Valid)", it's only when you click on that menu item to see the certificate details that it says it's invalid. I believe this is because Discourse installs a service worker, so that loading the page doesn't actually sent an initial network request (though it does then send a request for the live data from the forum.) Here's a video with it both showing that the site is correctly secured, while the certificate is expired.

https://www.youtube.com/watch?v=vtRydggAHsI

Are there any security risks with service workers and short term TLS certificates? I assume that any subsequent requests the page makes would use the current certificate. Is this really just a Chrome bug that it shows the outdated certificate?

curiousdannii
  • 350
  • 3
  • 12
  • 1
    The certificate for the website you linked is valid and up-to-date for me. Also, I doubt it's a Chrome bug. –  Jul 27 '20 at 08:07
  • @MechMK1 I didn't provide a link to the site where I am seeing this happen because there won't be any point - you'd need to have visited the site in the same browser 3 months ago to see this phenomenon happen. But if you frequent any other Discourse forums or other sites which install service workers then you might be able to see it there. – curiousdannii Jul 27 '20 at 11:31

1 Answers1

-1

If the system's time and/or date of the device you are using to browse the website is miss-configured, you can see a valid certificate shown as invalid. This can happen in two possible scenarios:

  1. The system's date is before the "Not valid before" value of the public certificate.

  2. The system's date is after the "Not valid after" value of the public certificate.

MoralMente
  • 87
  • 3