Hello,

Apologies if this is off-topic but I am not sure where else to query 
this.

While going through the list of Root Certificate Authorities on my 
computer, I
was alarmed to discover one I wasn't expecting there, called "DYMO Root 
CA (for
localhost)". This certificate was installed by the label printing 
software, I
installed for my DYMO Label Printer.

It is intended purpose is to allow web-based tools to send content to 
the label
printer to be printed by the local machine. It does it by allowing your 
web
browser to access a web server running on your local computer.

It appears that they are installing the same Root CA and localhost 
certificate
on each machine the printer software is installed on. On my Mac it was 
installed
into the System keychain, as well as the Firefox list of Authorities.

There are screenshots and more details here:
https://github.com/njh/dymo-root-ca-security-risk



What is the correct way for them to achieve what they are trying to do?

Would it be better to use a self-signed localhost certificate (same 
subject and
issuer), generated individually on each machine it is installed on?

Should 'localhost' / Mixed Content work without a certificate?

Or should they have a printer daemon on the local machine talking back 
to a
cloud service, that the browser talks to?



Thanks,

nick.