On Sat, 9 Nov 2013 12:50:18 +0000 mick mbm@rlogin.net wrote:
I don't see any problem per se with a self-signed certificate on a site which does not purport to protect anything sensitive (such as financial transactions). The problem with this particular certificate is that the common name identifier is both wrong (www) and badly formattted (http://) But both of those errors can be corrected very quickly.
Why pay a CA if you don't trust the CA model?
If your primary objection is the need to pay for certificates (and not e.g. the possibility of CA itself being backdoored etc), then I'd suggest considering CACert[1]. It provides free wildcard certificates which are already trusted out of the box by some[2] FOSS operating systems such as Debian.
I'd say it is better than trusting individual self-signed certs, and somewhat better than using your own root CA cert, since it saves the effort required to install your own CA on all machines you need to use it on.
[1] http://www.cacert.org/ [2] http://wiki.cacert.org/InclusionStatus