Self signed certificate at glbse.com

[KenJackson]

I've been surfing around looking at different bitcoin sites and 
one I've seen is a link to is the GLobal Bitcoin Stock Exchange.

But when I click on it, I get this:

This Connection is Untrusted
You have asked Firefox to connect securely to glbse.com,
but we can't confirm that your connection is secure.
...
The certificate is not trusted because it is self-signed.

What's the deal?  Why don't they have a legitimate certificate?

[1714867475]

1714867475

[1714867475]

1714867475

[1714867475]

1714867475

[1714867475]

1714867475

[ribuck]

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.

[Arxan]

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.

and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert.  I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.

[JeroenV1990]

Seems ok, you can always do a WHOIS(WHO-IS).

[abtcus]

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.

This is only partly correct. While you can generally trust a self signed certificate to establish an ssl connection, haphazardly allowing the self signed paypa1.com to get the immediate go-ahead from a browser is a terrible idea. The warning pages are essentially asking users: are you sure you know what you are about to fucking do? If anything, browsers are too lax towards established certificated authorities.

[ribuck]

... and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert...

True enough. But how do you conveniently distinguish between a legitimate purchased cert and a cert that was sold to the CIA by a compliant cert-issuer?

I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.

Fair enough.

Anyway, regardless of the technical issues, a service will not be commercially successful if it causes the browser to display frightening messages.

[KenJackson]

I appreciate everyone's input.

And I think there is an additional point.  Any company that wants to do any amount of business with the public can't remain anonymous.

If we assume that this company wants to do business with the public and to grow its market share and to be respected and trusted--then it MUST have a chain of trust backing up it's website certificate.  And it MUST NOT be anonymous.

But back to my question, I wonder if they don't understand this, if there is some temporary problem they're working on, or if they have some lurking ill-intent.

[alfred]

I really think they should get a proper cert. That browser warning makes me think the site has been compromised.