Most Certificate Authorities (CA) charge a lot of money to verify your company to use an SSL certificate. So it can be very tempting to use a self-signed, free certificate for your https server. But is that okay?
The short answer is that it is most definitely possible to set up a secure website without buying an SSL certificate from a CA. But there are some problems with doing this:
Web Browser Warning Messages
When a customer comes to your website that is secured with a self-signed or free SSL certificate, most Web browsers will post a scary error message like the one displayed here. While some people will click past this message, install the certificate and go to your site, most will click the "Get me out of here!" button and never come back.
The other, more serious problem is that if you have an self-signed certificate on your server and somehow your site is hacked, that server is now compromised even though it apears secure. Customers who ignored the error message above would then be even more vulnerable because they would believe they were secure.
When to Pay for an SSL Certificate
There are a few situations when paying for an SSL certificate is just the cost of doing business, including:
All ecommerce sites must have a signed SSL certificate if they expect customers to enter their credit card information. You can get around this if you use a company like Paypal to handle your transactions. Then the purchasing process is handled on their secure server.
- collecting private information
If your website needs to collect private or sensitive information like addresses or social security numbers then you should collect that information on a secure server with a signed SSL certificate. Otherwise, you are asking your customers to send private and sensitive information over the Internet in clear text, which can easily be hacked and used for identity theft.
- sites that are expected to be secure
If you are running a site for a security conscious community such as an Internet security services company, then if you do not have a signed SSL certificate your site will not look secure, and your customers will not believe what you're providing.
When a Self-Signed SSL Certificate is Okay
I don't believe that any site that needs a SSL certificate for customer-facing pages should use a self-signed certificate. I also don't think it's a good idea to use a self-signed certificate on any Web server that is live on the Internet. That is just asking for hackers to set up a man-in-the-middle or other hack on your server to try and trick people into providing information they shouldn't.
The only time a self-signed cerificate should be used is for testing behind a firewall. Such as your desktop computer that is behind a software or hardware firewall on your home network.