Indy has a comment that self signed certs are now “more secure” than third party ones.
I disagree. Why? Because we’re training our end users to blindly click on certificates. So are you going to sit down with folks and tell them to go ahead and examine each time they use a self signed cert? I don’t think you will, but that’s what we’ll need to ask someone. Can they trust the certificate chain all the way back? Can you train them on what to look for for bad certificates? Granted our best mitigation is to train users to be more paranoid and not blindly click in general.
“Most attack will probably still use bad certificates and ask the user to click “ok” to accept the bad certificate.”