AnsweredAssumed Answered

SSL Server Test marks self-signed certificates as "Insecure". Is that correct?

Question asked by RayH on Apr 25, 2012
Latest reply on Dec 4, 2015 by John Doe

I greatly appreciate you making available a free tool to the admin community to allow people to test their own certificates and web site configurations.


I have no doubt this helps people avoid common pitfalls and provides useful advice that helps make the Internet a safer place.


However the SSL Server Test also marks self-signed certificates as "Insecure" in red.

Trusted No  INSECURE   (Why?)


I submit that this is a fundamentally incorrect label to place on sites that use self-signed certificates.


I could accept a label such as "unable to trace the chain of trust back to a root certificate trusted by Qualys"


or "this site will be untrusted by most browsers without a user acknowledged exception"


I can even accept your own overall "Trust" rating along the lines of "we do not trust this site".


But I happen to trust my certificate quite a lot. I generated it on a system that I manage. I signed it. I know what information it's used to protect, and the risks associated with loss of confidentiality, integrity, or availability of this data. And I trust myself more than any online service or 3rd party company, most of whom do not perform any real identity checks before issuing a certificate to a company web site.


"Trust" is orthoganal to "insecure" in the case of a self-signed certificate.


Does anyone else agree?