Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Is a Self-Signed SSL Certificate Acceptable?

Posted by kdawson on from the how-about-never-is-never-good-for-you dept.

UltraLoser writes "When is it acceptable to encourage users to accept a self-signed SSL cert? Recently the staff of a certain Web site turned on optional SSL with a self-signed and domain-mismatched certificate for its users and encourages them to add an exception for this certificate. Their defense is that it is just as secure as one signed by a commercial CA; and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA. In their situation is it acceptable to encourage users to trust this certificate or is this giving users a false sense of security?"

2 of 627 comments (clear)

  1. Re:I wonder... by Anonymous Coward · · Score: 1, Funny

    Yeah, we should trust Debian instead.

  2. Re:Interesting by Anonymous Coward · · Score: 1, Funny

    How do security morons like you get modded insightful? What the fuck? It's idiots like you that we can blame for all the stupid fucking once-off self-signed certificates on the internet. I don't know who the site is, I've never visited before, but I'm being asked to trust their certificate. There IS NO PRE-EXISTING RELATIONSHIP. There IS NO "BEFORE".

    Fuck you and the moron horse you rode in on. Making the internets less secure by being a FUCKING MORON.

    -- Your local TLS implementer, who has finally lost his shit with YOU STUPID MOTHER FUCKING SELF-SIGNED IDIOTS.