Self Signed Certificates
Sunday, 13th February, 2011
I recently set up self signed HTTPS for my sites, and I have to say it was very easy and it got me wondering about the issues of “trust” in security and networking. Certificates in this context provide two main things: end to end (ish) encryption, and trust. The first is simple, data is encrypted at the application level and passed over the network to the server, where it is decrypted. All very nice, especially if passwords etc. are involved. Trust however is somewhat more complex. My self signed certificate provides me, or anyone using it, with endless warnings from my browser, because the identity cannot be verified. Who said it can’t? Trust is complex. Certificates work on a chain of trust, and at some point we have to just decide to trust (for no better reason than “because we do”), the root of the chain. This leads to issues. Over the years there have been many root nodes, and most of them are now not trusted, but how does this affect me? I can pay for a certificate, in which case somebody decides I am me and I can be trusted. i.e. they verify my identity. But why should I trust them? Because I paid them? My self signed certificate provides the same level of encryption as any paid for offering, so why is it less trusted? Mostly, because I didn’t pay. However, consider this. I trust me. I signed my own certificate. No one else has ever touched it. My thought is that a self signed certificate, for me, is more secure than a paid for one.