starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 05:26:03 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #282] Remove print of CA location? #182

New issue
Closed
opened 2026-02-25 22:32:48 +03:00 by kerem · 2 comments
kerem commented 2026-02-25 22:32:48 +03:00
Owner
Copy link

Originally created by @maudnals on GitHub (Jul 31, 2020).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/282

When creating the local root CA, its location is printed in the terminal:
Using the local CA at "/Users/<username>/Library/Application Support/mkcert"
This makes the local root CA easier to find for an attacker.
Once they would get hold of this, the attacker could make a certificate for all websites, that would be trusted by the developer's system.

=> Should this indication be removed?

This would not be a mitigation, but an upgrade.
Not sure about the pitfalls (and risks?) of doing this.

Discussed with @FiloSottile.

Originally created by @maudnals on GitHub (Jul 31, 2020). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/282 When creating the local root CA, its location is printed in the terminal: `Using the local CA at "/Users/<username>/Library/Application Support/mkcert"` This makes the local root CA easier to find for an attacker. Once they would get hold of this, the attacker could make a certificate for all websites, that would be trusted by the developer's system. => Should this indication be removed? This would not be a mitigation, but an upgrade. Not sure about the pitfalls (and risks?) of doing this. Discussed with @FiloSottile.
kerem closed this issue 2026-02-25 22:32:48 +03:00
kerem commented 2026-02-25 22:32:49 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Jul 31, 2020):

Yup, I think this is a good idea. To be clear I am not worried about it making it easier for an attacker to find it (if the attacker is the position to read arbitrary files, it's game over, not printing the path is not going to stop them) but we do want to prevent developers who use mkcert from using or sharing the CA without understanding the danger. Developers mostly don't need the CA, so let's hide it from them.

<!-- gh-comment-id:667126986 --> @FiloSottile commented on GitHub (Jul 31, 2020): Yup, I think this is a good idea. To be clear I am not worried about it making it easier for an attacker to find it (if the attacker is the position to read arbitrary files, it's game over, not printing the path is not going to stop them) but we do want to prevent developers who use mkcert from using or sharing the CA without understanding the danger. Developers mostly don't need the CA, so let's hide it from them.
kerem commented 2026-02-25 22:32:49 +03:00
Author
Owner
Copy link

@polarathene commented on GitHub (Aug 19, 2020):

Agreed that there is little security benefit from hiding that output.

we do want to prevent developers who use mkcert from using or sharing the CA without understanding the danger.

Then add output that informs / reminds them of such, removing the CA location doesn't discourage accessing it, a user will seek it out either way if they want to.

Just to clarify, the main risk is the private key being taken to create certs for a CA that is locally trusted, but the attacker can only phish with replica sites, only able to actually impersonate the URLs of a service used if something like DNS resolution is compromised via MITM attack to redirect them to an IP of the attackers impersonating server instead?

Developers mostly don't need the CA, so let's hide it from them.

I took the rootCA.pem and copied it over to my Android device to import as user credentials. That's advised here.

There's a CLI option to get the CA location, and the README section I linked to also mentions that, which I guess is sufficient.

<!-- gh-comment-id:675846568 --> @polarathene commented on GitHub (Aug 19, 2020): Agreed that there is little security benefit from hiding that output. > we do want to prevent developers who use mkcert from using or sharing the CA without understanding the danger. Then add output that informs / reminds them of such, removing the CA location doesn't discourage accessing it, a user will seek it out either way if they want to. Just to clarify, the main risk is the private key being taken to create certs for a CA that is locally trusted, but the attacker can only phish with replica sites, only able to actually impersonate the URLs of a service used if something like DNS resolution is compromised via MITM attack to redirect them to an IP of the attackers impersonating server instead? > Developers mostly don't need the CA, so let's hide it from them. I took the `rootCA.pem` and copied it over to my Android device to import as user credentials. That's advised [here](https://github.com/FiloSottile/mkcert#mobile-devices). There's a CLI option to get the CA location, and the README section I linked to also mentions that, which I guess is sufficient.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#182
No description provided.