Fork me on GitHub
#figwheel-main
<
2020-06-12
>
bhauman00:06:58

Actually I think I see a better safer easier way

bhauman01:06:10

make/cache self-signed certificates in users home directory, hash them on their domains/ips for reuse, automate trust installation

bhauman01:06:26

This prevents them from being used for any domains other than the domains specified in the certificate

bhauman01:06:32

furthermore you could have the tool restrict which domains can be created for security reasons

dominicm07:06:58

Wouldn't an attacker just replace the file in the user's home directory? If trust installation is automated.

bhauman14:06:46

@dominicm not that automated 🙂 when you create the certificate you are queried wether to install it

bhauman19:06:12

@dominicm I think I figured it out finally

bhauman19:06:25

its kinda obvious

bhauman19:06:31

delete the keys

bhauman20:06:12

folks can trust a root that has no keys

bhauman20:06:30

and the leaf certificate keys can’t be used to sign any new certs

bhauman20:06:51

then cache based on the domains, ips to eliminate asking for trust over and over

dominicm20:06:02

Interesting, a tool can even go one step further: never write the priv keys to disk. Keep in memory.

bhauman20:06:30

@dominicm food for thought

dominicm20:06:32

I'll be honest, I still don't entirely understand the use-case of hitting up localhost with ssl.