(no title)

'LocalSend uses a secure communication protocol that allows devices to communicate with each other using a REST API. All data is sent securely over HTTPS, and the TLS/SSL certificate is generated on the fly on each device, ensuring maximum security.'

How do they achieve maximum security while generating X.509 certs on device?

Let's look; 'https://github.com/localsend/protocol#2-fingerprint'

'When encryption is on (HTTPS), then the fingerprint is the SHA-256 hash of the certificate'

Confusingly there is a HTTP non encrypted mode, and the docs claim the fingerprint only used to avoid discovery collisions.

Out-of-band [visual comparison / QR code scanning step] sharing of fingerprints COULD be acceptable to prevent 'man in the middle' attacks, however the documentation doesn't seem to indicate that this detail is surfaced or shared with the user. The discovery protocols look 'hella sus', but most local media sharing and discovery is.