[Joker_vD]

Or you can do none of that razzle dazzle which, if you stop to actually think about it, doesn't really bring in any security. Yeah, "let everyone have the keys for that", that's sure much more secure against some vaguely imagined threat connected with people already running arbitrary stuff on your internal network.

[dspillett]

I'm not sure why the level of snark is so high there, given I'd already mentioned the potential security implications meaning those keys should not also be used for non- dev/test resources.

A key reason for maintaining secure connections for everything in local dev environments is to practise for best practice: keeping your dev environments close to production configuration without doing that by lowering production's level of doing-stuff-right accidentally (or intentionally) through insecure settings (like not verifying certificates) leaking out of dev into other environments.

At least this thread isn't full of people complaining that UAs (and related libraries) should still just trust self-signed certs, and not accepting any explanation of why that is a bad idea, which used to be the norm…

[Joker_vD]

TLS is not an end goal in itself, we don't use it simply because "TLS is double-plus-good, raw HTTP is crimethink", sorry, because it's a "best practice" (whatever that term actually means): we use it because it provides us with transport layer security against some specific threats. What threats do your proposed approaches help to secure against, except "developers have mental ability to set up and use a configuration that'd be insecure in prod"? The only even remotely reasonable threat I can think of is the scenario in which your network hardware manufacturer (be it Cisco, or Huawei, or whatever) is wiretapping you. Indeed, it is a valid threat for e.g. Google (PRISM does exist) which is why they've switched to using TLS everywhere. But aside from that?

[dspillett]

> TLS is not an end goal in itself

Correct. Can you point out on the dolly where I said otherwise?

> The only even remotely reasonable threat … But aside from that?

You either didn't read what I said properly, or are deliberately misreading it.

I didn't suggest using TLS properly in dev was for specific threat protection in dev environments, but for stopping dumbed down things in dev accidentally getting out into prod, and that it is “practise for best practice in production”.

Unless of course someone has (or thinks they have!) reason to breach commonly accepted good practise and have real data in dev, in which case dev is a de-facto production environment from a security standpoint.

> "best practice" (whatever that term actually means)

It is a well understood term. I'll not spend my time explaining it as you'll easily find that information elsewhere if you care to.