Why Self-Signed Certificates are More Secure then Signed ones

When Accessing Your PC From a Web Browser


Yes, I said it... Self-signed certificates are actually MORE SECURE than signed ones when accessing your PC from a web browser. And here's why:

(Scroll to the yellow text for the quick version)

When you visit a public website, your browser looks at the site's security certificate and checks if it's signed by one of a hundred or so third-party "Certificate Authorities" (CA) that the browser "trusts". If it is, you get a green padlock and your connection is considered secure (assuming there are no problems with the certificate). Website owners typically pays hundreds of dollars each year to have one of these companies sign their certificate.

You can probably already see a few problems with this scenario.

  1. There's money involved (Money = Influence)
  2. There's trust involved (Trust = Vulnerability)
  3. By signing certificates for thousands of high-profile websites, Certificate Authorities make themselves a high-value target for hackers

This type of certificate signing only work for websites with a registered domain name (www.website.com) and static IP address (IP address that never changes), Private computers don't typically have these things because they cost more than most people are willing to pay for remote access to a single PC. That's where Self-Signed Certificates come in.

Self-signed certificates are certificates that you create yourself using software. When you visit a website that uses a self-signed certificate, your browser will give you a BIG SCARY WARNING that says your connection is not secure.

How can this possibly be more secure, you ask? The reason is simple: Your PC is the web server, so you have access to the actual certificate. That means you can personally verify that the certificate in your browser matches the one on the server. Since only the server with the private key for that certificate can decrypt the data, you know your connection is secure. This is a direct verification that costs nothing and doesn't rely on trust. You can't do this with a public website (and neither can your browser) since you don't have access to the server.

Comparing certificates is easy thanks to Fingerprints. A fingerprint is a shortened version (or hash) of a certificate used to quickly compare it against another for an exact match. All major web browsers and operating systems have a certificate viewer that will show you a certificate's fingerprint. Click here to see how.

* Required by U.S. Export Regulations
PayPal Acceptance Mark Ssl seal 1