CA certificate recommend or not for a blog contain website?

ssl ssl-certificate certificate-authority

I'm building a simple blog website using Apache and following the HowTo to enable SSL/TLS on my server : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html

  • For the purpose of this website do the best practice will be to get an CA trusted certificate?

  • Does the action to enable SSL/TLS on the Server and using the self-signed certificate will increase the security level instead of using only HTTP or using SSL/TLS without a CA does not make sense?

Any feedback will be appreciate to get more understanding.


Yes, a proper CA-signed certificate is best practice. Self-signed certificates should only be used in very limited environment, e.g. for dev purposes.

Fortunately, you can just use https://letsencrypt.org/, it's free, it's simple to use and since it's arrival, there is no longer an excuse to not encrypt or only use self-signed certificates.

Some explanation: Signed certificates have a double purpose - beside encryption, they also are meant to show that the service is legitimate and that the entity running the service is in control of the domain (at higher verification levels, it also includes verified identification of the certificate owner, e.g. that the CA verified that the certificate indeed was created on behalf of the existing company Example Inc.).

Not having a cert signed by a trusted CA will lead to (all?) browsers outright rejecting the connection with a stern warning. Forcing your users to create an exception for your site is considered bad practice because most users should only learn that if they see that kind of warning, they should not continue as something is very wrong - they should not be trained to ignore this.


It is essential that your blog is encrypted with trusted CA SSL Certificate instead of self –signed certificates.

SSL provides data integrity, authenticity and security for your blog and helps to protect the site from man-in-the-middle and eavesdropping attacks, so hackers cannot modify the content. CA signed certificates offers industry standard 2048-bit encryption key length and validates your control over the domain to prove website trustworthiness.

Google announced

For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now, it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

Source: https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html

Self-signed vs CA signed SSL certificates

When we talk about security-wise, both certificates provide the same protection and encryption for your website and your shared information will be safe and secure on the Internet. The difference between both certificates is customers’ trust.

CA is an entity who verifies the website and/or business ownership before issuing a digital certificate for your website. It means authentication process handling by third-party as well CA singled certificates are recognized by all browsers and discover secure signs – green padlock and HTTPS:// as well, therefore, your web users can easily notice that website is safe and reliable.

A self-signed certificate is self-generated where verification process missing, it means there is the big question for website honesty. Browsers don’t support self-signed certificates and encounter your web pages with a warning message.

Read more risk involved in self-signed certificate: https://www.ssl2buy.com/wiki/self-signed-certificate-vs-trusted-ca-signed-certificate/


From the point of security, both certificates can be created for security and provide HTTPS connection. The main difference is ‘trust’. A certificate from a trusted CA implies that your website is secure as it is certified by a trusted source. A CA like Comodo verifies domain ownership and business detail before issuing the certificate.

A self signed certificate can be used by web developers when working on a secure website; they can test the site using a self-signed SSL security certificate. A self signed certificate is like a self verifying document or driving licenses which can’t be used in any legal process or verification. For any legal work you need a certificate verified by a legal authority.

So, an SSL Certificate from trusted CA will be ideal solution as HTTPS is now a Google ranking factor along with web security. And for a blog, you can adopt a domain validated SSL which is offered at low cost from many CA.

Related

How to set iptables to access MySQL?
NFS server and client are working but data is not on the server?
Block mails with local from-addresses from unauthenticated senders using courier-esmtpd
What's the meaning of consistent dataset? (MySQL)
Errors uploading CodeIgniter Website to Amazon EC2
rsync - only keep 10 backup folders
How to test OpenVPN connection from within the same network?
NGINX Varnish SSL - too many redirects
Failed to install HAXM during Android Studio installation
Why does git submodule update fail with "fatal: remote error: upload-pack: not our ref"?
How to disable open browser in CRA?
org.apache.camel.FailedToCreateConsumerException: Failed to create Consumer for endpoint: direct://validateFile