Hello,
Apologies if this is off-topic but I am not sure where else to query
this.
While going through the list of Root Certificate Authorities on my
computer, I
was alarmed to discover one I wasn't expecting there, called "DYMO Root
CA (for
localhost)". This certificate was installed by the label printing
software, I
installed for my DYMO Label Printer.
It is intended purpose is to allow web-based tools to send content to
the label
printer to be printed by the local machine. It does it by allowing your
web
browser to access a web server running on your local computer.
It appears that they are installing the same Root CA and localhost
certificate
on each machine the printer software is installed on. On my Mac it was
installed
into the System keychain, as well as the Firefox list of Authorities.
There are screenshots and more details here:
https://github.com/njh/dymo-root-ca-security-risk
What is the correct way for them to achieve what they are trying to do?
Would it be better to use a self-signed localhost certificate (same
subject and
issuer), generated individually on each machine it is installed on?
Should 'localhost' / Mixed Content work without a certificate?
Or should they have a printer daemon on the local machine talking back
to a
cloud service, that the browser talks to?
Thanks,
nick.