I came across this from the OP's article posted on GitHub, apologies for
posting so much later than the original discussion. I just wanted to throw in
my 2 cents, real use case. A webapp I develop(ed) for my company has been using
DYMO's developer setup and the web service that's installed with
Thank you very much to everyone who replied to my original post. I think
the fact that so many people are making the same mistakes indicates that
the correct solutions are not obvious to many developers.
I have added a "How could this be done better?" section to my README:
Ryan Sleevi writes:
>I similarly suspect you’re unaware of https://wicg.github.io/cors-rfc1918/ in
>which browsers seek to limit or restrict communication to such devices?
A... blog post? Not sure what that is, it's labelled "A Collection of
Interesting Ideas", stashed on
On Wed, Jan 10, 2018 at 3:33 AM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >I hope you can see how I responded to precisely the problem provided.
>
> You responded to that one specific limited instance.
I responded to the topic of this thread,
Ryan Sleevi writes:
>I hope you can see how I responded to precisely the problem provided.
You responded to that one specific limited instance. That doesn't work for
anything else where you've got a service that you want to make available over
HTTPS. Native messaging is a
On Wed, Jan 10, 2018 at 12:42 AM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >Of course, if that doesn’t tickle your fancy, there are other ways that
> are
> >supported that you may not have heard about - for example:
> >
>
> On Jan 9, 2018, at 19:31, Peter Gutmann via dev-security-policy
> wrote:
>
> Jonathan Rudenberg writes:
>
>> For communicating with other machines, the correct thing to do is to issue a
>> unique certificate for each device from
Jonathan Rudenberg writes:
>For communicating with other machines, the correct thing to do is to issue a
>unique certificate for each device from a publicly trusted CA. The way Plex
>does this is a good example:
> On Jan 9, 2018, at 18:42, Peter Gutmann via dev-security-policy
> wrote:
>
> Ryan Sleevi writes:
>
>> Of course, if that doesn’t tickle your fancy, there are other ways that are
>> supported that you may not have heard about - for
Ryan Sleevi writes:
>Of course, if that doesn’t tickle your fancy, there are other ways that are
>supported that you may not have heard about - for example:
>https://docs.microsoft.com/en-us/microsoft-edge/extensions/guides/native-messaging
>
On Wed, Jan 10, 2018 at 12:08 AM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >Or is your viewpoint that because this happened in the past, one should
> >assume that it will forever happen, no matter how much the ecosystem
> changes -
> >including
Ryan Sleevi writes:
>Or is your viewpoint that because this happened in the past, one should
>assume that it will forever happen, no matter how much the ecosystem changes -
>including explicitly prohibiting it for years?
Pretty much. See the followup message, which shows it
On Tue, Jan 9, 2018 at 11:12 PM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >First, there are non-commercial CAs that are trusted.
>
> By "commercial CAs" I meant external business entities, not an in-house CA
> that the key or cert owner controls.
Ryan Sleevi writes:
>First, there are non-commercial CAs that are trusted.
By "commercial CAs" I meant external business entities, not an in-house CA
that the key or cert owner controls. Doesn't matter if they charge money or
not, you still need to go to an external
On Tue, Jan 9, 2018 at 4:40 PM, Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Nicholas Humfrey via dev-security-policy mozilla.org> writes:
>
> >What is the correct way for them to achieve what they are trying to do?
>
> I'm
Hi,
On Tue, 09 Jan 2018 21:04:34 +
Nicholas Humfrey via dev-security-policy
wrote:
> What is the correct way for them to achieve what they are trying to
> do?
>
> Would it be better to use a self-signed localhost certificate (same
> subject and
>
Nicholas Humfrey via dev-security-policy
writes:
>What is the correct way for them to achieve what they are trying to do?
I'm not sure if there is a correct way, just a least awful way. The problem
is that the browser vendors have decreed that you can
Hello,
Apologies if this is off-topic but I am not sure where else to query
this.
While going through the list of Root Certificate Authorities on my
computer, I
was alarmed to discover one I wasn't expecting there, called "DYMO Root
CA (for
localhost)". This certificate was installed by the
18 matches
Mail list logo