A Google cryptoboffin is close to releasing a tool that will hopefully make all of us more secure online.
Now that most web traffic travels over HTTPS and browser features increasingly expect security, developers really should be creating and testing apps in an HTTPS environment.
Doing so requires installing a TLS/SSL certificate locally, but the process isn't as easy as it might be. With a bit of effort, devs can generate their own certificate, self-signed or signed by the local root, and install it. Various online tutorials offers ways to do so. There are also projects like minica that aim to ease the pain.
But it could be easier still, along the lines of Let's Encrypt, a tool that lets websites handle HTTPS traffic through automated certificate issuance and installation.
That's desirable, says Valsorda, because testing web apps via insecure HTTP can obscure mixed content issues that might break an HTTPS site in production.
Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLSREAD MORE
"mkcert is a simple by design tool that hides all the arcane knowledge required to generate valid TLS certificates," said Valsorda in a blog post. "It works for any hostname or IP, including localhost, because it only works for you."
Rather than creating a self-signed certificate, mkcert generates certificates signed by the user's private Certificate Authority (CA), a more involved process that's generally better than self-signing if you want to generate multiple certs tied to the CA.
mkcert works with Linux (Arch, CentOS, Debian, Fedora, RHEL, and Ubuntu), macOS, and Windows, as well as Firefox (macOS and Linux), Chrome and Chromium, and Java. With a few extra steps, it also works with Android and iOS. ®