Mobile app version of vmapp.org
Login or Join
Murphy175

: Would using a self-signed SSL certificate be appropriate in this scenario? Now I realize this topic has been discussed in a few questions before (specifically this one), but I'm still a little

@Murphy175

Posted in: #SecurityCertificate

Now I realize this topic has been discussed in a few questions before (specifically this one), but I'm still a little confused about the implications of using a self-signed certificate, and how I would be affected by doing so in this case. After reading various sources, I'm still a little confused about the exact details of using one.


The biggest problem with a self-signed certificate, is a man-in-the-middle attack. Even if you are 100% sure that you are on the correct website and you completely trust the site (your email server for example), you could have someone intercept the connection and present you with their own self-signed certificate. You would think that you are using a secure connection with your email server but you are really using a secure connection to an attacker's email server. – SSL Shopper


So somebody could switch out my self-signed certificate with their own, and I wouldn't be able to detect it? The way this site phrases it, it makes it sound worse to install a self-signed certificate than to leave your site without a certificate at all.


Self-signed certificates cannot (by nature) be revoked, which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. CAs on the other hand have the ability to revoke a compromised certificate if alerted, which prevents its further use. - Wikipedia


Does this mean that the only way someone could switch out their own certificate for mine is for them to find out the private key? I suppose this is more secure, but I'm still slightly confused about what exactly results from using a self-signed certificate. Is the only issue that obnoxious security warning that pops up in your browser when directed to the site, or is there more to it?



Now in my case, I want to add the an SSL certificate to a minuscule Wordpress blog I run that I don't expect anyone else will read anytime soon; I mainly started it to get into the habit of blogging, and to learn more about the process of administrating a site (ex. what to do in situations like this one). Whenever I go to the login page and there's an instead of , I cringe a little. Submitting my password feels like I'm shouting my password out loud with hundreds of people listening.

I don't plan on adding any other authors to the site, so I am the only person who would ever need to login. This isn't a site I'm trying to get page views from, or one that handles e-commerce or any sensitive info like that, simply my username and password to login with. One of the concerns (that I've gathered so far) of a self-signed certificate is that non-technical users might be scared by the security warning, but this would not be an issue in my case.

TL;DR: If scaring visitors away isn't a concern (which it isn't in my case), is it acceptable to use a self-signed certificate for the purpose of encrypting my Wordpress blog's password, or are there added security issues I should be aware of? Essentially, I'm wondering whether adding a self-signed certificate will be safer than leaving my login page the way it is now, or if it adds the potential for more security breaches than leaving it sans-SSL.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Murphy175

2 Comments

Sorted by latest first Latest Oldest Best

 

@BetL925

You can use a self signed cert. From your browser's perspective, the only difference between a self-signed cert and the CA signed cert is that your browser does not implicitly trust the self signed cert, hence, the popup warning.

While the man-in-the-middle attack is a completely valid concern, once that cert is trusted, either permanently or temporarily per session, the quality of the actual session and data encyption is no different.

If you are selling something on your blog and accepting credit card payments, a self signed cert would be considered insufficient. If you are simply ssl encrypting a login page that only you are meant to see and use, self signed is fine but when you generate it, set the key size to something over 1024 bits and use SHA over MD5 if you can.

All this being said, there is a CA out there that issues free CA signed certs named StartCom and there are also lots of low cost providers as well.

10% popularity Vote Up Vote Down


 

@Turnbaugh106

is it acceptable to use a self-signed certificate for the purpose of encrypting my Wordpress blog's password


Yes. Some security is better than no security

"Man-in-the-middle" can be easy avoided by just open eyes - check presented cert's SHA-checksum, f.e.

In best form you can build own CA, issue rootCA cert, server cert, and have full trusted (by you only) chain. Try to find ssl-ca bundle (c) 2000 Yeak Nai Siew in Net

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme