Are SSL's default snake oil certificates truly snake oil as opposed to being genuine honest-to-good certificates? [closed]
Solution 1:
Remeber SSL serves two very important functions
- Secure communication
- Trust
Any self generated SSL certificate give you 1. which allow encrypted traffic or as you say a valid SSL certificate.
However a self-generated SSL certificate can only give Trust to people who trust you. The reason for SSL certs being generated by trusted 3rd parties is to provide number 2. Your browser trusts them and they trust you. If you generate it yourself you could claim to be www.microsoft.com and if someone trusted you it would be.
Also as pointed out in the comments this is why you shouldn't trust someones self signed cert for their server as then your browser will apparently trust any future certificates signed by the same server.
This is why self - generated are snake oil certs.
Update: The LetsEncrypt service coupled with a modern webserver such as Caddy take almost all the difficulty out of getting and using TLS certs, so no need for snake oil certs any more!
Solution 2:
Self-signed certificates will encrypt your communication just the same as standard ones. So the encryption is not the issue.
Certificates can also be used to verify identity. How it is supposed to work is that when you connect securely to a server, that server presents its certificate to you or your browser, and then you or your browser decide if you can trust the server's assertion of identity.
Certificates can be signed by other "higher-level" certificates, typically called certification authorities. So, if the server's certificate is signed by a CA that you or your browser trusts, the identity is considered valid.
Most major browsers come with a number of root certificates that they automatically trust, from Verisign and other well-known CAs.
With a self-signed certificate, since it is not signed by a third-party CA but the same entity that made the certificate, you cannot depend on anyone else to verify the identity except the one who generated the certificate. It's equivalent to someone printing their own ID card and giving it to you to verify identity. This isn't necesarily a problem, despite browser warnings, if you know/trust who generated the certificate or did it yourself.