That's one option. The specific method isn't important. What's important is that you think about what you are signing, and determine if the message and signature could be re-used.
OK
As long as the signature was created by properly written software, it should be fine. If you are using some closed source software, or software that hasn't been reviewed by knowledgeable people, then there is a chance that the signing software could have a bug that leaks the private key with the signature.
What do you mean when you say "signing online"? Are you using a website to generate the signature? That would be bad, since you'd have to give the website your private key. Are you just using software on a computer that is connected to the internet? How did you generate the address or original transaction? Were they created on an offline computer?
I will sign the message with Electrum while being online, that's what I meant.