Self signed certs better?

On December 30, 2008, in Security, by

Indy has a comment that self signed certs are now “more secure” than third party ones.

I disagree.  Why?  Because we’re training our end users to blindly click on certificates.  So are you going to sit down with folks and tell them to go ahead and examine each time they use a self signed cert?  I don’t think you will, but that’s what we’ll need to ask someone.  Can they trust the certificate chain all the way back?  Can you train them on what to look for for bad certificates?  Granted our best mitigation is to train users to be more paranoid and not blindly click in general.

“Most attack will probably still use bad certificates and ask the user to click “ok” to accept the bad certificate.”



2 Responses to Self signed certs better?

  1. Gavin says:

    I agree 100% Susan.

    The yearly cost of a Thawte certificate is $149.00. this can (and in my opinion SHOULD) be easily built into any new network proposal, and solve all CERT issues in a small business network.

    We’ll never install a self signed cert again. It’s just not necessary today.

  2. Jeff Dempsey says:

    I’m with you on this one, Gavin. The GoDaddy ones are sha1RSA (to find out, go to MMC->Add Snap In->Certificates>Local Computer, and in the third-Party Root Certificates, double click your root certificate provider), and they should not be affected by this.

    We too never let the self signed one sit. It brings into play complacency, and makes a lot of issues go away. For $30/year, I tell my clients that it is worth it. For them (and for me…)