I still can’t get why more or less any browser will complain with a big,red scary page when you go to a site with a self-signed SSL certificate.
Even though the SSL certificate is not trusted, it still provides the site with encryption, and verifies that the content has not been tampered with during transit. This means that anything you enter will be end-to-end encrypted, that is if you ignore the big red message. I think self signed SSL certificates should be treated the same as HTTP: be fine with it if there are no password or credit card forms on the page, and warn the user if there is.
HTTP is worse
HTTP provides no encryption, so everyone on the network can see what you’re doing and what you type in to more or less any form. Also, there is no data integrity, so anyone can tamper with the page. This isn’t much of a problem on blogs and other content sites, it’s only a problem when confidential data, like your password, is transmitted over the internet. Whats worse: no encryption, or encryption that you can’t verify who the origin server is? I think no encryption is worse, and self-signed certs should at least get the same status as HTTP.
The counter argument is that HTTPS is also used to verify that the origin server is who it says it is, so if anyone can sign their own certificate, a man in the middle attack would be much easier. My response to this is that there is the same problem with HTTP, and at least HTTPS has data integrity, so there’s some protection there. I’m not asking for self-signed certificates to get the green bar, all I want is for them to be treated the same as unencrypted traffic, which I think is how it should be.
Share your thoughts in the comments below!