Hacker News new | past | comments | ask | show | jobs | submit login

Self-signed is worse than not having one. Don't do that.



Please stop spreading this lie. It's been debunked many, many times. Just because something doesn't provide 100% security doesn't mean you should give up and use nothing.

Once again, self-signed SSL raises the cost of an attack from "basically free" passive monitoring to a much more expensive[1] MitM attack. It's a travesty that apache doesn't simply auto-create a self-signed certificate if it doesn't have one so plain HTTP can be retired forever.

Note: this is about transport security, and the UI presented should not suggest any kind of authentication has been achieved. In firefox, this means not showing the "locked padlock" and other changes usually associated with SSL.

So please, stop undermining the security of the web. We could have been all-HTTPS a long time ago if this nonsense wasn't brought up each time.

[1] and hard to use against everybody simultaneously


Why? The crypto is just as strong with a self-signed cert as a "name brand" cert. The only downside is teaching users to ignore SSL errors, which is bad.


The crypto strength of a self-signed cert is irrelevant because a MITM can generate their own self-signed cert with the your website's name.


Right, so you have to verify the certificate through some "out of band" (relative to the browswer) mechanism.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: