Is adding an untrusted ROOT Certificate not super dangerous?

[paulgessinger]

Hi, I wanted to check this out, and the settings nudge me to trust a ROOT certificate to enable TLS to the REST API.

Is that not a HUGE security hole? With that trusted, someone in possession of the private key could MITM all traffic.

Now I'm going to assume the plugin generates the certifcate locally and also doesn't send the private key anywhere, but this seems very dubious to me to be honest.

[coddingtonbear]

It is true — there are risks! It has a similar risk profile to making a spare key for your house. As long as you keep that key in your pocket and don’t hand it out, it only opens your front door. But if someone else were to get hold of it, they could use it in ways you didn’t intend.

In this case, the “key” is the root certificate. It’s generated locally and never sent anywhere, but by design the browser needs to “trust” it in order to talk to https://localhost. That’s just how HTTPS works — browsers won’t allow encrypted traffic unless they trust a certificate, and the only way to make that happen on localhost is to generate and trust your own root.

If you’d rather not take that step, you can absolutely use the HTTP version instead. That avoids installing a root certificate entirely — though it does mean traffic to the service isn’t encrypted (which could be fine if you’re only running things locally and trust your own machine).

Either way works; the important thing is just not to share that certificate or its private key with anyone else. As long as you keep it to yourself, the extra risk is small and contained to your own machine.

[paulgessinger]

That makes sense to me. I suppose even if I generated the root cert myself and add it to the plugin, it would have to also have the private key to be able to serve traffic.

Thanks anyway.