Browser TLS Session Caching Explained

TL;DR

Yes, browsers do cache TLS session keys to speed up connections to websites you revisit. This is generally a good thing for performance and security (reducing full handshakes), but it can sometimes cause issues if server configurations change. Here’s how it works and what you can do about it.

Understanding TLS Session Caching

When your browser first connects to a secure website (using HTTPS), it goes through a ‘handshake’ process to establish a secure connection using Transport Layer Security (TLS). This involves exchanging keys. Caching these session keys means the browser doesn’t have to repeat this whole handshake every time you visit that site again.

How Browsers Cache TLS Sessions

1. Session ID Caching: The browser stores a unique identifier (session ID) for each successful TLS connection.
2. Key Material Caching: Some browsers also cache parts of the actual key material, though this is less common and more carefully controlled due to security implications.
3. Operating System Level Caching: The operating system itself can also participate in caching, particularly with protocols like QUIC (which uses UDP).

Why Cache TLS Sessions?

• Faster Page Loads: Reusing a cached session avoids the overhead of a full handshake.
• Reduced Server Load: Fewer handshakes mean less work for the website’s server.
• Improved Security (in some cases): Reduces opportunities for man-in-the-middle attacks by quickly re-establishing a known secure connection.

Potential Problems

• Server Configuration Changes: If the website changes its TLS certificate or key, the cached session becomes invalid and needs to be refreshed. Until that happens, you might encounter errors (like SSL/TLS warnings).
• Revoked Certificates: If a certificate is revoked, the browser needs to know about it. Caching can delay this detection.
• Protocol Downgrade Attacks: Although rare with modern browsers, caching could theoretically allow an older, less secure protocol to be used if not handled correctly.

How to Clear TLS Session Cache

The method varies depending on your browser:

Chrome/Edge

1. Open Chrome settings (three dots in the top-right corner) → Privacy and security → Clear browsing data.
2. Select ‘Advanced’ tab.
3. Check ‘Cached images and files’. Important: Be careful not to delete other data you want to keep!
4. Click ‘Clear data’.

Alternatively, you can use the command line:

chrome://net-internals/#sockets

This page lets you flush individual sockets or all socket connections.

Firefox

1. Open Firefox settings (three lines in the top-right corner) → Privacy & Security.
2. Under ‘Cookies and Site Data’, click ‘Clear Data…’.
3. Check ‘Cached Web Content’ and uncheck everything else unless you specifically want to clear those items too.
4. Click ‘Clear’.

You can also use the developer tools:

about:networking#sockets

Similar to Chrome, this allows flushing socket connections.

Safari

1. Safari → Preferences → Privacy.
2. Click ‘Manage Website Data…’.
3. Search for the website in question and remove its data.

Checking Certificate Validity

You can use online tools to verify a website’s TLS certificate:

• SSL Labs SSL Server Test: https://www.ssllabs.com/ssltest/
• DigiCert Certificate Checker: https://www.digicert.com/ssl-certificate-checker

Further Considerations

• Operating System Cache: Clearing the browser cache doesn’t always clear OS-level caches. A system restart might be needed in some cases.
• QUIC Protocol: If a website uses QUIC, clearing the browser cache may not fully resolve issues related to cached connection information.