self ssl certificate vs commerically issued- your thoughts as a buyer?

[David-M]

I recently added accepting bitcoin on one of my sites using bitpay. Since the transaction happens over at the bitpay site, I needed to secure is the API data sent behind the scenes. Therefore I used a self signed SSL certificate. The only personal information recorded on the site is a signup email.

As bitcoin users, is this an acceptable level of security to you? Or do you require SSL on the whole site? Does it have to be a commercial SSL?

David

[CIYAM]

I expect that a lot of people would be put off by a "self-signed" certificate just because it seems a bit "too cheap" (even if they weren't worried about the lack of any CA trust-chain).

It really doesn't cost very much to get a cert that is issued so why not spend the money (or are you wanting to make a statement)?

[OnkelPaul]

Self-signed provides security against network sniffers but unless your users import the certificate into their browser from a secure source they could be subject to a man-in-the-middle attack.
Commercially issued certificates are quite a bit better because they are always traceable back to a root certificate - MitM attacks are much more difficult for ordinary criminals, although I think there have been cases where criminal governments have compromised CAs to obtain fake root certificates for such purposes.
As a buyer, I would be a bit uneasy when a site uses a self-signed certificate and switches between http and https "arbitrarily". Those sites that use https only for the payment pages typically state that very clearly to avoid confusion.

Onkel Paul

[David-M]

I've only used commercial ssl in the past, but since this wasnt going to be browser based, thought self signed may be sufficient. I state on the signup page that users can switch to the ssl version and accept the certificate if they wish.

(or are you wanting to make a statement)?

I thought about that too.

David

[CIYAM]

I thought about that too.

As an alternative to the whole "cert" system I am using GPG and client-side encryption but the problem with using anything "non-standard" is that your audience gets severely reduced (so I now offer more traditional sign-ups for CIYAM Open as well and very few users are using the GPG sign-up).

[K1773R]

self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it therefore not even the CAs can break it  

EDIT: this might also be of interest for u: http://convergence.io/

[OnkelPaul]

Self signed with GPG key is good but depends on two non-trivial assumptions:
- GPG key of the site's operator is known and trusted
- customer knows how to use GPG in the first place.

Onkel Paul

[BitcoinFX]

self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it therefore not even the CAs can break it  

EDIT: this might also be of interest for u: http://convergence.io/

You could always get your "Self-Signed" SSL Cert. Signed for free at CAcert.org At least they have a 4096 bit Root Cert.

Example: http://xeronet.primeoptic.net/about-ssl.php

Convergence.io is really great! Everyone should watch Moxie's presentation - It's brilliant:

BlackHat USA 2011: SSL And The Future Of Authenticity - https://www.youtube.com/watch?feature=player_embedded&v=Z7Wl2FW2TcA