Hacker News new | past | comments | ask | show | jobs | submit login

Looks like an interesting project. What I guess is not really clear is why you'd want to do TLS for local only connections? Are the services published with the .local domain accessible from outside as well so it's like a ngrok alternative?

I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...




> I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...

It often feels like the noose is tightening tbh. There are things that contemporary "evergreen" web browsers just flat out refuse to do without https.

I think this is where they document this... https://www.chromium.org/Home/chromium-security/prefer-secur...

which I got from this stack overflow answer https://stackoverflow.com/a/34161385


Yes, which makes sense I guess, but localhost et al are already considered "secure origins" by that, so the features should be available regardless if you're doing TLS or not, if you're loading the document/page/application from localhost.


Certain browser features/apis are only available when in a secure context https://www.digicert.com/blog/https-only-features-in-browser... so I imagine this might be a reason you would want it.

That being said I don't know why you would pay for an application that does this but I guess I'm not the target market.


Yep. A lot of OAuth integrations will refuse to work on HTTP, too. Some have a `localhost` exception to that restriction, but not all.


This long article helpfully forgets to mention, that localhost/loopback addresses are considered secure without https.

https://developer.mozilla.org/en-US/docs/Web/Security/Secure...


Some features have still moved to TLS-only even for localhost. "Considered secure" is somewhat orthogonal to "requires TLS". You can only use HTTP/2 with TLS, for instance, whether or not you are in a "secure context".


Dev <=> Prod parity. There are starting to be more things that require tls even for localhost


> I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...

.local tld is for the local subnet, not necessarily localhost.


TLS is easy enough... I'm just not sure why one would want or need a certificate authority involved with local connections other than to get rid of the nag screen in Firefox or Chrome.


Mkcert makes it easy, why not?


Maybe its just to avoid browsers nagging and blocking you from using certain APIs that require a "Secure Context (https)"


browsers nowadays are picky about including content from and communicating with non secure hosts. Depending on your setup, it might make local development less of a hassle




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: