Do i have to pay or create accounts on third party services to use HTTPS (in nginx)?
I never used https on my sites because there are some giant warnings ("dangerous") in browser when you go to a website that is self-signed. No warnings on plain http.
> I do agree that the extreme mistrust of browsers towards self-signed certificates is an odd thing.
No, not at all; it's the whole point of SSL. The guy MITMing an SSLed website can create a cert for that site himself, but he can't get it signed by a CA. So he has to sign it himself. Thus, from the browser's perspective, all self-signed certs are possible instances of "there used to be a CA-signed cert here, but now you're being MITMed."
Now, that's not to say something like self-signed certs wouldn't be nice--given some sort of distributed pin cache, we could have something closer to an SSH/PGP model where everyone's current self-signed cert "fingerprint" is on file, and alarm bells go off if you see a cert different from the one you're supposed to see. But without that, self-signing is literally no more secure than no SSL at all: anyone else can also self-sign to MITM you.
It's free but they charge you to revoke a certificate, which is quite unfortunate as it discourages people from revoking if they e.g. leak their private key.
You could also think about getting CAcert(ified?) and promote the CAcert root certificates getting included in more browsers. This is not measurably more insecure since SSL is mostly snakeoil anyways as long as you rely on external entities[0] to verify the identity of websites.
Ideally, browsers would store the certificate presented on the first visit to a website and compare the certificate presented on following visits to that stored certificate to warn the user on mismatches – so far, I have not yet found a usable implementation thereof, and especially not one more widespread than CAcert.
[0] Among them such trustworthy companies as DigiTrust, TÜRKTRUST or CNNIC.
I never used https on my sites because there are some giant warnings ("dangerous") in browser when you go to a website that is self-signed. No warnings on plain http.