Why Self-Signed Certificates are More Secure then Signed ones
When Accessing Your PC From a Web Browser
|
VS. |
|
Yes, I said it... Self-signed certificates are actually
MORE SECURE than signed ones when accessing your PC from a web browser. And
here's why:
(Scroll to the yellow text for the quick version)
When you visit a public website, your browser looks at the site's security certificate and
checks if it's signed by one of a hundred or so third-party "Certificate Authorities" (CA)
that the browser "trusts". If it is, you get a green padlock and your connection is
considered secure (assuming there are no problems with the certificate). Website owners
typically pays hundreds of dollars each year to have one of these companies sign their certificate.
You can probably already see a few problems with this scenario.
- There's money involved (Money = Influence)
- There's trust involved (Trust = Vulnerability)
-
By signing certificates for thousands of high-profile websites,
Certificate Authorities make themselves a high-value target for hackers
This type of certificate signing only work for websites with a registered domain name
(www.website.com) and static IP address (IP address that never changes), Private computers
don't typically have these things because they cost more than most people are willing to pay
for remote access to a single PC. That's where Self-Signed Certificates come in.
Self-signed certificates are certificates that you create yourself using software. When
you visit a website that uses a self-signed certificate, your browser will give you a
BIG SCARY WARNING that says your connection is not secure.
How can this possibly be more secure, you ask? The reason is simple:
Your PC is the web server, so you have access to the actual certificate. That means
you can personally verify that the certificate in your browser matches the one on the server.
Since only the server with the private key for that certificate can decrypt the data, you know
your connection is secure. This is a direct verification that costs nothing and doesn't rely
on trust. You can't do this with a public website (and neither can your browser) since you
don't have access to the server.
Comparing certificates is easy thanks to Fingerprints. A fingerprint is a shortened
version (or hash) of a certificate used to quickly compare it against another for an exact match.
All major web browsers and operating systems have a certificate viewer that will show you a
certificate's fingerprint. Click here to see how.