Open WhiteyDude opened 1 year ago
I'd like to second this suggestion!
Ran into this also. FYI:
$ openssl x509 -text < /tmp/dymolocal.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
42:bf:4c:98:4e:4c:47:6a:a3:c5:45:38:fa:87:3a:42
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = DYMO Root CA (for localhost), O = DYMO, OU = Dev, C = USA, L = Atlanta, ST = GA
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2038 GMT
Subject: CN = DYMO Root CA (for localhost), O = DYMO, OU = Dev, C = USA, L = Atlanta, ST = GA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
not sure what the purpose is here, but I'll be installing the software in a container of some sort.
+1 to this issue. Since this is designed to run on localhost, it would be fine to run without a certificate at all, or at least optionally.
Hi team,
I'm setting up a Dyno labelmanager on a Mac, and I've noticed the script
/Applications/DYMO.WebApi.Mac.Host.app/Contents/Resources/InstallCertificates.sh
wants to run during the install. Aside from the obvious - that it's bad to normalise to users they should type in their password in a terminal they don't understand - the root certificate is of concern. as part of the script:Digging deeper, it appears you're attempting to run some local web service on my machine, without actually going over the detail of this with me as a user. This is really bad practice and running random ASP.Net services listening on unexpected ports on peoples systems is almost definitely eventually going to lead to some level of exploit, privilege escalation, etc.
Can you please stop adding your own root CAs to peoples computers and running local webservers? I feel like that sentence shouldn't need to be said. This is production software you're putting out to users not local dev, please think about your actions.