Self-signed SSL Certificates

Self-signed certificates are fine for "personal" use (ie, to give a small number of people an encrypted channel to something like an admin console).<p>But "making sure the certificate was generated properly" is not the only thing Verisign is doing. The other thing Verisign does is sign your certificate for you.<p>The reason that matters is that in the wild, any attacker that can see packets or control DNS can MITM your SSL connections. When they do that, they too will present a valid-looking "self-signed" certificate.<p>The way your browser "breaks the tie", or tells the good cert from the bad one, is to check to see if the cert is properly signed all the way back up to a browser root.<p>Again, this is fine in a personal setting: just accept the cert the first time you log in. As long as you're not getting the warning every time, you'll be fine. But it's not fine when you're talking about thousands of people hitting a public service.<p>(Strong agree with upthread comment about installing Convergence).

Why?<p>Startssl gives you the same thing for free (as in beer), without the popup and without training users to ignore the warnings.<p>I'm not a fan of certificate authorities in the first place, but for now they seem to be a good compromise between playing along and not throwing your savings at some snakeoil sellers..

I wouldn't say insanely secure. <a href="http://blog.trendmicro.com/2010s-most-dangerous-list/" rel="nofollow">http://blog.trendmicro.com/2010s-most-dangerous-list/</a><p>Keeping your WP install up to date is going to go a long way in helping secure things.<p>Second, the comment about using StartSSL instead of a self-signed cert.<p>Also, make sure you are using a sane config of ciphers. I've seen too many site where SSL is set up but the cipher list is set to the most insecure possible due to lack of configuration. It's not that hard and actually makes the use of SSL usable.

You can't really trust the opinion of someone who leads with: "I use WordPress and it’s insanely secure". It's not. It has serious security bugs in it which allow full web server access on a fairly regular basis. You need to keep it up to date and subscribe to the announcement list to ensure you don't miss an update, just like you do with any content management system.

You could install your public certificate on your computer, rather than ignore the warnings.

1) training people to ignore browser SSL messages in any situation is, I think, not such a great idea,<p>and 2) those warnings are there for a reason. How do you know that it's <i>your</i> self-signed cert you're being presented with and not a MITM attack? Do you check the fingerprint? Is your browser set up to warn you if the cert has changed since the last time you logged in?

Installing <a href="http://convergence.io/" rel="nofollow">http://convergence.io/</a><p>will solve the certificate warning problems.

I definitely never meant to suggest that training people to ignore security warnings was the right way to do anything. I've updated to the post to note that you would be required to install the certificate locally to be certain that it's actually the correct cert.<p>I appreciate the suggestions for free options. There have been some people that have problems with these services in the past, but I'll definitely look into them.

I think the OP is dead on. The goal here is to encrypt your connection, not to bypass industry-standard security measures.<p>Once you install the cert (client-side) you are protected just as you would be with a publicly signed cert. If you are ever subjected to a Man-In-The-Middle attack or a spoofing attempt, the exact same flags would occur.<p>This is not a solution for eCommerce, or for your web-app's user sign-in page. This is for your admin panel and backend which only you (or your staff if you have one) will be using.<p>If you actually install the cert to your local certificate store (as opposed to just cancelling out of the alert) you should be solid.<p>Great post Josh.