4
3
I'm using a self signed SSL certificate on the homepage for our prom. I know almost everybody who uses this website personally, so I can assure them that the certificate is trustworthy, even though the browser displays a warning.
The question is: If I use this self signed certificate and my classmates visit the website anyway, are they less safe from hackers, malware attacks a.s.o?
The website doesn't require highest security: The only purpose of the website is for chatting and for ordering tickets; the payment doesn't happen on the website!
EDIT:
When you enter a not encrypted website, no warning is displayed. Does this mean no encryption is better than self-made encryption? I don't think so!
2
You could also obtain a certificate from Let’s Encrypt. It would be trusted by all modern browsers.
– Daniel B – 2016-02-28T16:57:06.890Any certificate is only safe if you trust the signer of the certificate. – Ramhound – 2016-02-28T17:18:52.287
The real question is why are implementing SSL/TLS in the first place? What features are you hoping to gain by providing the encryption? Self-signed certificates can work just as well as any other certificate, but it usually places the burden of verifying trust on the user. If the user is not going to actually verify that trust (or doesn't know how), using a self signed cert is only slightly better than unencrypted (and not worth the hassle IMHO). – heavyd – 2016-02-28T18:19:32.347
To answer your edit, yes it is better IMHO, self made encryption is equal to no encryption in security but it gives people a false sense of security so they end up doing things they would not have done on a unencrypted connection, that is what makes self made worse. – Scott Chamberlain – 2016-02-29T01:01:24.463
The answers given so far are technically correct, but they miss one point: Do you want to train/learn your visitors that self-signed certificates are acceptable? I suggest you don't do that. Since you also mention in a comment answer that tour visitors are not tech savvy, the best solution is to go the LetsEncrypt way. That works as intended, so there is really no reason to hack around and 'do your own stuff'. – Jan Doggen – 2016-03-02T08:57:35.073