Are SSL's default snake oil certificates truly snake oil as opposed to being genuine honest-to-good certificates? [closed]

security certificate ssl

Solution 1:

Remeber SSL serves two very important functions

  1. Secure communication
  2. Trust

Any self generated SSL certificate give you 1. which allow encrypted traffic or as you say a valid SSL certificate.

However a self-generated SSL certificate can only give Trust to people who trust you. The reason for SSL certs being generated by trusted 3rd parties is to provide number 2. Your browser trusts them and they trust you. If you generate it yourself you could claim to be www.microsoft.com and if someone trusted you it would be.

Also as pointed out in the comments this is why you shouldn't trust someones self signed cert for their server as then your browser will apparently trust any future certificates signed by the same server.

This is why self - generated are snake oil certs.

Update: The LetsEncrypt service coupled with a modern webserver such as Caddy take almost all the difficulty out of getting and using TLS certs, so no need for snake oil certs any more!

Solution 2:

Self-signed certificates will encrypt your communication just the same as standard ones. So the encryption is not the issue.

Certificates can also be used to verify identity. How it is supposed to work is that when you connect securely to a server, that server presents its certificate to you or your browser, and then you or your browser decide if you can trust the server's assertion of identity.

Certificates can be signed by other "higher-level" certificates, typically called certification authorities. So, if the server's certificate is signed by a CA that you or your browser trusts, the identity is considered valid.

Most major browsers come with a number of root certificates that they automatically trust, from Verisign and other well-known CAs.

With a self-signed certificate, since it is not signed by a third-party CA but the same entity that made the certificate, you cannot depend on anyone else to verify the identity except the one who generated the certificate. It's equivalent to someone printing their own ID card and giving it to you to verify identity. This isn't necesarily a problem, despite browser warnings, if you know/trust who generated the certificate or did it yourself.

Related

Can you make Windows 7 not localize folder names?
Delete all history that contains a certain word [duplicate]
Linux tells me a serial port is in use, but it isn't
windows command line dir command: to display only the file name, in 8.3 format?
How to capture a couple of lines around a regex match?
How to get a registry value and set into a variable in batch
How do I switch between languages on Windows 10 like I do in OS X?
Git clone "checking connectivity" - what is it?
How to force ls terminal command to show results in Bytes while I have set the default to ls -h in bash profile?
How to prevent "Unable to open MTP device" popups from opening?
How to disable Office 365/PowerPoint's "Design Ideas"?
How, from a cmd, start a new cmd instance and run a command within?