While technically possible that doesn't get you very far, you'd end up with a self-signed certificate. That works fine except for the scary warnings (which look a bit unprofessional). And of course if the client programs of your service do not have an interface for accepting self-signed certificates, you're back to square one.
yes i know, this people scaring started with ff2,ie7? - there is nothing wrong with self signed certs, except useless companys wanna make a quick buck selling fud
There absolutely should've been some sort of "encrypted but not verified" handling for self-signed certificates. The current state of browsers is that unencrypted HTTP is presented as safer than self-sign encrypted HTTPS. That's lunacy.
Unfortunately, there isn't, and as a result self-signed certificates are useless to anyone running a HTTPS site that expects any visitors.
Though I don't enjoy the current sad state of affairs with regards to the security and validation of CAs, there's something to be said for the old adage that no security is better than false security, and trusting all self-signed certificates would definitely be false security, since eavesdroppers could just do a man-in-the-middle with their own self-signed certificate.
> Though I don't enjoy the current sad state of affairs with regards to the security and validation of CAs, there's something to be said for the old adage that no security is better than false security, and trusting all self-signed certificates would definitely be false security, since eavesdroppers could just do a man-in-the-middle with their own self-signed certificate.
Currently, self-signed HTTPS is trusted less than unecrypted HTTP. We don't get a massive warning if visiting Facebook over HTTP, despite the MITM risk and the fact that data is being sent in clear to boot.
The browsers don't do it because it violates normal people's expectations of what encryption does. If you are a man-in-the-middle, you provide your own self-signed cert; if the browser accepts self-signed certs, then the user sees an "encrypted" connection, but the encrypted data goes to the man-in-the-middle! Sure, you went through the motions of encryption, but the data is plaintext to the attacker. Self-signed certs could work together with some other kind of infrastructure, something like Perspectives, but leaving everything else as it is, self-signed certs don't provide anything to the normal user.
If you're dealing with end customers (like an eCommerce site), you're going to have lots of questions from nervous customers. Or worse, you'll never hear from them.
