• ttmrichter@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    3 years ago

    Self-signed certificates are too silly to bother with. Might as well go straight http if you’re going to go self-signed.

    A CA-signed cert reduces the chance of a bad actor between me and the target site. A self-signed cert opens the door to trivial MitM attacks.

    • pinknoise@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      3 years ago

      A CA-signed cert reduces the chance of a bad actor between me and the target site.

      Because bad actors that can hijack your traffic are unable to get a fake certificate signed?!

      A self-signed cert opens the door to trivial MitM attacks.

      How would that be?

      • ttmrichter@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 years ago

        Getting a fake certificate signed requires state level opposition or entities with that level of resources, and frankly if your opposition is state level, you’re fucked anyway.

        Self-signed certs let Jimmy-Joe-Bob’s Rifle Range and Real Good Hacker Script Kiddie Ring fake you out in minutes.

        • pinknoise@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          3 years ago

          Getting a fake certificate signed requires state level opposition or entities with that level of resources

          Yeah like I said, if they can hijack your traffic, they can easily get a fake cert signed.

          Self-signed certs let Jimmy-Joe-Bob’s Rifle Range and Real Good Hacker Script Kiddie Ring fake you out in minutes.

          How? They would have to steal the CA key and could only fake the site with the self signed cert. (At least if you don’t add it to your certificate store)