Why can't you secure a home-based Web server with a self-signed SSL certificate?

While a self-signed certificate provides encryption when visitors browse to a site, the browser displays a security alert because a trusted certificate authority did not verify it. Typical computer users cannot determine whether they are connecting to the site they want, or to a site run by a hacker running a man-in-the-middle attack. Therefore, it is unwise and even dangerous to use a self-signed certificate for this purpose.

There's also a longer term issue with using self-signed certificates. With the advent of the new EV SSL Certificates, browser developers are beginning to discourage the use of self-signed certificates by making the warnings to users much more dire than they were previously. Many people believe that this is simply the beginning of the end for self-signed certificates, and that support for them will eventually be taken out of the major browsers. When this happens, any products that depend on their use will have problems.

This is the warning that IE7 shows users who attempt to go to a website secured with a self-signed certificate. Notice that Microsoft recommends that users not browse to the site for fear of a security breach.

For more information about the dangers posed by self-signed certificates, please see our white paper, Untrusted Root Certificates Considered Harmful.