I greatly appreciate you making available a free tool to the admin community to allow people to test their own certificates and web site configurations.
I have no doubt this helps people avoid common pitfalls and provides useful advice that helps make the Internet a safer place.
However the SSL Server Test also marks self-signed certificates as "Insecure" in red.
I submit that this is a fundamentally incorrect label to place on sites that use self-signed certificates.
I could accept a label such as "unable to trace the chain of trust back to a root certificate trusted by Qualys"
or "this site will be untrusted by most browsers without a user acknowledged exception"
I can even accept your own overall "Trust" rating along the lines of "we do not trust this site".
But I happen to trust my certificate quite a lot. I generated it on a system that I manage. I signed it. I know what information it's used to protect, and the risks associated with loss of confidentiality, integrity, or availability of this data. And I trust myself more than any online service or 3rd party company, most of whom do not perform any real identity checks before issuing a certificate to a company web site.
"Trust" is orthoganal to "insecure" in the case of a self-signed certificate.
Does anyone else agree?