4

I have a personal website/email server, basically for my own self learning use. I am using CACert (http://www.cacert.org/) for my SSL certificate as advised in a tutorial. I have no clue about security, so please pardon this simple question.

Ok, so my question is, would directly using my own generated certificate without third-party (CACert) involvement be safer? Could the third-party become a weak link or be used to compromise, perform a MITM attack?

I am not bothered about the browser complaining that the certificate is not trusted, especially since CACert is also not trusted by 99.9% of the internet.

sprocket12
  • 171
  • 5

2 Answers2

2

SSL certificates provide two things:

  1. Authentication of the organization to whom the visitor is connecting (the organization is verified to be www.foobar.com)
  2. Confidentiality of the communication (data is encrypted using the public keys in the certificate)

Concerning point 2, there's no difference in using a self-signed cert, a certificate issued from a free CA such as CACert, or a paying CA, since the strength of the encryption depends on the characteristics of the key pair you generated (a default 2048-bit or 4096-bit RSA is fine).

Therefore what it interests us is point 1, since it's the CA who verifies and certifies the identity of the remote website. It all boils down on how the CA verifies these websites. In this regard, using an external free CA untrusted by browsers doesn't make much difference from using a self-signed cert. Therefore I would go for a self-signed cert in this case, as you can generate it yourself without hassle (just make sure you're doing this properly!).

You can safely use a self-signed cert if your website is for internal use, say your friends, or a group of people. (From what I understood from your question, this is your case.) However, if your website is public-facing and you want to do things in a proper and professional way, you should buy a SSL cert from a recognized CA.

dr_
  • 5,198
  • 4
  • 21
  • 31
-2

No, it is even less safe. If you have no knowledge of security or of certificates you should not roll your own. (luckily its not as bad as running your own CA without knowledge)

CACert helps you to get the proper values in your certificates so your safe from misuse. the web of trust also means the CAcert will be on par with a face 2 face audit form a commercial CA. (assuming you go for a better validation so you can get a year certificate)

LvB
  • 8,943
  • 1
  • 30
  • 47
  • 2
    It may sound counterintuitive, but since the OP is the only person using this server, a self-signed certificate is probably no worse than one issued by a formal CA. In fact, it may even be better in some regards. With a self-signed cert, the OP knows exactly what the CA cert should look like and can add it as a trusted cert in the browser to get warnings if it ever changes. With a "real" CA, you have to worry about the possibility of the CA getting compromised or abusing its trust and issuing bad certificates. The CA becomes a weak link. – tlng05 May 24 '15 at 03:55
  • @user54791 do you know CACert? There not like any other CA. OP said he was did not understand the security aspects of SSL certificates. When thats the case I would still not recommand Selfsigned over CAcert. because they do understand Certificates and have the safeguards to generate the right properties within them. – LvB May 24 '15 at 04:05