What are the benefits of a self signed certificate on a live site?

Are there any benefits of a self signed certificate on a live site?

I know in IIS 7 you have the ability to self sign a certificate and I was wondering if using that as a precurser to buying one from a CA would be a good idea.

Do you get the same encryption benefits that you get from a CA signed cert or am I confusing terms? (running off the https protocol)


Solution 1:

The encryption is not a property of the certificate or where it is signed from. The benefit you get from a CA signed cert is that it is automatically trusted by web browsers (and other SSL-aware applications). A self-signed certificate will pop up a warning that the certificate is not trusted. In more recent browsers, such as FireFox 3, the default action is to refuse to show the page and the user has to take deliberate actions to enable use of a self-signed (or expired, for that matter) certificate.

If you can talk to everyone who will use the web page (if this is for your family only, for example), this isn't a problem. Tell them to expect that warning and how to handle it in their browser and it's a one-time issue.

However, if this is for any use that requires anything approaching real security, you probably want a true, signed, not self-signed certificate.

Solution 2:

You get the same encryption benefits, but everyone viewing your site will get a warning that your certificate is untrusted (or from an untrusted source). The advantage of getting one of the main stream certs is that they are already in the browser as trusted.

In IE 7, go to Tools, Internet Options, Content, Certificates, Trusted Root Certification Authorities. Those are all the authorities IE trusts by default.

Solution 3:

Trust. A self-signed certificate gives the same encryption.

But I trust a CA. I do not trust you.

So why shouldn't I trust you? Because there's no guarantee that the name on the certificate ("Discount Bob's Hanggliding and BBQ Emporium") was the person who actually created the certificate. I could create a certificate that said "Discount Bob's Hanggliding and BBQ Emporium" and when you go to ritter.vg it'd say "Discount Bob's Hanggliding and BBQ Emporium".

But when I ask a CA to sign my certificate that says "Discount Bob's Hanggliding and BBQ Emporium", they'll ask "Sure, show me some credentials" and I don't have any, so they'll tell me to piss off. But the actual Discount Bob will have those credentials, the CA will sign it. So when you see the certificate, signed by the CA, you'll know that it actually is Discount Bob, because if it weren't the CA wouldn't have signed it.

The purpose of a signed certificate is to verify that the person is actually who he says he. Because the CA said he is, and I trust the CA.

The encryption isn't directly relevant to a certificate - it just gets added in because it's good to have and it goes hand in hand.