I always thought that self-signed certs were as secure just could not be verified by trusted CAs which would trigger unsigned cert message in browsers other than that they should be functioning same as signed ones or am I misunderstanding?
The problem is that your browser trusts a lot of signing authorities. Many will let you a buy a certificate that in turn lets you sign your own certificates. That means if your attacker has money, they can easily impersonate any website they want by signing a certificate in their name.
Source: Certificate Patrol WebsiteEdit: You also need to be a company with over 5 million in assets, 5 Million in insurance and has clear audited policies on how you use the certificates. For the GeoTrust root anyway.
I've heard that there was some sort of venerability with OpenSSL certs, but other than that are signed certs by well known organizations safe? I mean could a middle man such as an ISP intercept handshake and public keys and eavesdrop inside secure channel passing packets or is it impossible?
I only started caring about ubiquitous encryption over the past 3 months or so. I am dismayed how prudent sending everything is clear-text really appears to be: HTTPS can easily give a false sense of security. I have not had time to tease out a list of best practices. My own website does not support HTTPS at the moment.
Edit: I have an interest in the gopher protocol. I may investigate using IPSec for encryption or authentication. I currently care more about authentication. Authentication can never be automated and easy: That is the situation we have with Certificate authorities. Users need to exchange information out-of-band: over the phone, in person, or by letter mail.
