Nicholas Humfrey via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>What is the correct way for them to achieve what they are trying to do? I'm not sure if there is a correct way, just a least awful way. The problem is that the browser vendors have decreed that you can only talk SSL if you use a certificate from a commercial CA, which obviously isn't possible in this case, or in numerous other cases (well, there are many commercial CAs who will happily sell you a cert for "localhost", but that's another story). So you can hack something with "the cloud", but now your label printing software relies on external internet access to work, and you're sending potentially sensitive data that never actually needs to go off-site, off-site for no good reason. Perhaps the least awful way is to install a custom root CA cert that only ever signs one cert, "localhost" (and the CA's private key is held by Dymo, not hardcoded into the binary). You've got a shared private key for localhost, but it's less serious than having a universal root CA there. The problem is really with the browsers, not with Dymo. There's no easy solution from Dymo's end, so what they've done, assuming they haven't hardcoded the CA's private key, is probably the least awful workaround to the problem. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
