How can I securely develop a local webapp at a coffee shop?
Safely developing against localhost can be done provided:
- your machine is configured to resolve localhost to a loopback address (note, it's possible to change your hosts file to resolve localhost to a different address)
- your machine is configured to route the loopback address via the loopback interface (it's possible to route loopback addresses to non loopback interface)
- you configure your application to listen on the loopback address, not 0.0.0.0 (many web frameworks listens on 0.0.0.0 by default, this is probably the most common reason for unexpectedly exposing services to untrusted network during development)
- if you use a proxy, your browser is configured not to route localhost/loopback through the proxy
In other words, a fairly typical networking configuration.
Also, take care that your database server aren't binding to 0.0.0.0, as that'll allow anyone on the network to connect directly to the database server. It's probably best to set a firewall configuration so you know exactly what ports and addresses that local services are listening on.
The link you pointed is under the context of a publicly trusted CA issuing certificates with "localhost" name. This is unsafe under that context because the recipient of such certificate may use the certificate to intercept the communication of someone with some unusual networking configurations. When you have full control over your own machine's configuration and you know that you don't have some weird configurations on your machines, the loopback interface is safe.
First, you could use http://127.0.0.1 to bypass the DNS lookup.
Secondly, you can create your own self-signed CA certificate, create a certificate for localhost and connect to https://localhost securely. There is no way an attacker can intercept that connection.
As a result, accessing "https://localhost", say, on a hostile WiFi access point (such as your coffee shops) can be intercepted by a network attacker and redirected to a site (or a certificate) of their choosing.
This is true in the context of the email thread. The email thread is about whether someone could obtain a valid certificate for localhost
from a trusted CA. If this were possible, then yes, someone else could impersonate https://localhost. But a public CA is not permitted to issue certificates for localhost
(Baseline Requirements, section 7.1.4.2.1; see also this discussion on the Let's Encrypt tracker).
Because this is not possible, your own private CA is the only one that you trust that issued a localhost
certificate.
If you're doing this type of stuff often, why not just get a travel router?
With a small travel router, you can set up your own internal network with its own SSID, add encryption, and set up a customized whitelist so only your MAC addresses are allowed on it.