Thanks to Mattias Geniar for solving this frustrating mystery for me.
In short, `.dev` isn’t only a convenient “fake” top level domain for use in local web development; it’s also a legitimate top level domain owned by Google. In December of 2017 Chrome and Firefox were updated to force all requests to .dev hosts to load securely.
What should we do differently?
One workaround is to create a self-signed certificate and add it to your local machine’s trusted certificate store. That sounds like a lot of work to me.
The lazier way is to use something other than .dev for local development. I like dev.example.com, but I think I’ll go with example.test, as Mattias suggests.