Re: [w3c/ServiceWorker] What to do when an installed service worker's certificate changes/expires (#1523)

I think there are two issues here that we should address separately:

# Does cert expiry impact cached things?

Certificates are a connection-level thing, not a resource-level thing. If you received the resource securely, you still received that resource securely even once the certificate expires. Certificate 'revocation' could mean that resource was sent over a connection that wasn't 'correctly' secure, but at that point the 'bad' data may have influenced browser storage, so if something needs to happen, it probably involves clearing site storage. It's certainly bigger than a service worker issue.

# How should the browser communicate security to the user?

https://static-misc-2.glitch.me/basic-sw/ - here's a page that serves content from a service worker, without needing a network connection.

Firefox & Chrome show a padlock and "The connection is secure", which is kinda misleading because there is no connection. (cc @asutherland)

Safari does not show a padlock, but it doesn't show "not secure". This might be risky if users associate the presence of the padlock as "this is secure", and the absence of it as a red flag (cc @youennf)

It feels like we should have a padlock for resources that we know were originally served securely (HTTP cache), or was generated by a resource that was originally served securely (service worker), but a connection wasn't needed in this particular instance. Clicking on the padlock could show "this resource was served without a connection".

But hey, I'm not a security expert. @sleevi @jyasskin does the above sound reasonable?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1523#issuecomment-670436008

Received on Friday, 7 August 2020 09:55:42 UTC