Learn difference between CA vs Self-signed SSL Certificates

[sophieperrone]

Note: This post is only for people having basic knowledge of SSL certificate. (learn more about SSL certificate here: http://en.wikipedia.org/wiki/Secure_Sockets_Layer )

I found many people asking this question before selecting SSL certificates for their online property.

Self-signed certificate

Self-signed certificate has no reliable features. The certificate has signed itself. Self-signed certificates are generally utilized for test and local servers. In such server security is not a big worry. The web browser will exit a cautioning, that the web site certificate cannot be verified. Such certificates are not signed by the Certificate authority. Self-signed certificate do not render a security to data that flows in the tunnel between browser and server hence anyone with awful motive can harm it.

Signed certificate (CA SSL certificates)

Signed certificate is an authorized certificate issued by trustworthy certificate authority. The Secure Socket Layer is utilizing to encrypt the data between the web server and client’s browser. When client visits site it shows in address bar about the authenticity of website. It boosts confidence of customer. The information flows in tunnel is secure. The most common certified authorities are VeriSign, thwte, RapidSSL etc. Both certificates provide encrypted technology but authority only verified Signed certificate.

Have you ever purchased SSL certificate earlier? Which one?

 

[KM-Tiger]

.... Such certificates are not signed by the Certificate authority. Self-signed certificate do not render a security to data that flows in the tunnel between browser and server hence anyone with awful motive can harm it.

That is bad misinformation.

Self-signed certs are signed by a CA, but it's your own one rather than a commercial one that is included in browsers by virtue of having paid to be included. The resultant connection is just a secure, provided that your own CA server is secure.

That said, the world in general will "trust" a commercial CA more than a self-signed, but only because their browser (or email client) doesn't pop up a warning.

 

[Cromulent]

That is bad misinformation.

Self-signed certs are signed by a CA, but it's your own one rather than a commercial one that is included in browsers by virtue of having paid to be included. The resultant connection is just a secure, provided that your own CA server is secure.

That said, the world in general will "trust" a commercial CA more than a self-signed, but only because their browser (or email client) doesn't pop up a warning.

Quite right.

 

[sophieperrone]

That is bad misinformation.

Self-signed certs are signed by a CA, but it's your own one rather than a commercial one that is included in browsers by virtue of having paid to be included. The resultant connection is just a secure, provided that your own CA server is secure.

That said, the world in general will "trust" a commercial CA more than a self-signed, but only because their browser (or email client) doesn't pop up a warning.

The importance of third-party validation is most apparent. A certificate signed by a trusted, independent CA helps ensure the organization that owns the certificate is indeed what it claims to be.

Organizations can “self-sign” certificates. When companies use self-signed certificates, in effect they are saying, "I verify that I am myself. Trust me."

• Self-signed certificate is one signed with its own private key.
• Self-signed certificates cannot (by nature) be revoked, which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. CAs on the other hand have the ability to revoke a compromised certificate if alerted, which prevents its further use.
• A self-signed certificate doesn’t provide any guarantee for their security.

Hence most of internet user cannot trust on self-signed cert because it is not issued by trusted CA.

Helpful Links - https://www.thawte.com/assets/documents/whitepaper/hidden-costs-self-signed-ssl-certificates.pdf and http://en.wikipedia.org/wiki/Self-signed_certificate

 

[serverhouse]

The importance of third-party validation is most apparent. A certificate signed by a trusted, independent CA helps ensure the organization that owns the certificate is indeed what it claims to be.

Organizations can “self-sign” certificates. When companies use self-signed certificates, in effect they are saying, "I verify that I am myself. Trust me."

http://en.wikipedia.org/wiki/Self-signed_certificate

An SSL certificate (or either kind) ensures secure transmission of data between you and another server; without the risk of 'man in the middle' attacks.

Historically it was quite hard to get an SSL certificate, you had to send of your company registration and your new borns right arm. This meant only REAL companies had them.

However these days it's very easy and very cheap, which for me devalues it.

• CA signed is definitely better than Self signed
• With CA being so cheap I don't see why everyone doesn't do it.
• Just because someone has a CA signed certificate it doesn't stop them defrauding you.
• CA signed certificate doesn't stop your personal details being put into a plain text e-mail
• Self Signed is still secure

Online security is multifaceted


Do your research!

 

[Cromulent]

The importance of third-party validation is most apparent. A certificate signed by a trusted, independent CA helps ensure the organization that owns the certificate is indeed what it claims to be.

Most websites simply use $10 a year domain validated SSL certificates from a CA. Just because a CA has signed the SSL certificate it doesn't mean that they have validated you.

You need one of the higher priced SSL options if you want validation as well. Preferably you'd get an EV SSL certificate if validation was important to you and your business.

 

[RedEvo]

So the OP sells SSL's but doesn't understand them

d

 

[sophieperrone]

I admit that when you use self signed certificate the information between your web browsers and server will be encrypted but it is not that much secure as you use ssl certificate provided by CA (which is definitely more secure and encryption is definitely strong as compare to self-signed ssl).

As far as the pricing structure of SSL certificate is concern, there are hundreds of ssl certificates products available and each has its own functionality.

An SSL certificate (or either kind) ensures secure transmission of data between you and another server; without the risk of 'man in the middle' attacks.

Historically it was quite hard to get an SSL certificate, you had to send of your company registration and your new borns right arm. This meant only REAL companies had them.

However these days it's very easy and very cheap, which for me devalues it.

• CA signed is definitely better than Self signed
• With CA being so cheap I don't see why everyone doesn't do it.
• Just because someone has a CA signed certificate it doesn't stop them defrauding you.
• CA signed certificate doesn't stop your personal details being put into a plain text e-mail
• Self Signed is still secure

Online security is multifaceted


Do your research!

You are right but the post we are discussing here is about self signed vs signed ssl certificate.

As i said earlier, each organization has their own requirement of SSL certificate. For example:
- domain validation
- organization validation
- multiple domain SSL
- same domain multiple sub-domain ssl etc..

Depending upon this requirement, one will have to choose SSL and the one you have mention will not work for all mentioned case !!

Most websites simply use $10 a year domain validated SSL certificates from a CA. Just because a CA has signed the SSL certificate it doesn't mean that they have validated you.

You need one of the higher priced SSL options if you want validation as well. Preferably you'd get an EV SSL certificate if validation was important to you and your business.

Thank you for your feedback,

Being a part of SSL certificate industry, we always try to learn and understand different aspect of the industry. I am still saying the same thing that SELF SIGNED ssl certificate is not issued by CA like thawte, geotrust etc. You can generate self-signed SSL from openssl at free of cost. Read this article to learn more about self signed ssl:

http://webdesign.about.com/od/ssl/ht/new_selfsigned.htm

I am pleased to see so many feedback on my given post; that encourage me to do more and more work in specific niche.

thank you all..

So the OP sells SSL's but doesn't understand them

d

 

[RedEvo]

If you're in a hole, stop digging....

d