I don't consider it trolling. I genuinely have such an approach to life. The economy should be frugal. Each objective has its own means.


It is also important not to take things to the point of absurdity and sometimes to make allowances immediately, there is even an approach called "from extreme to extreme" - and it can be effective for certain tasks in order to assess the prospects immediately.

But it is always necessary to understand what you are paying for.

If my goal is simply to encrypt traffic in order to protect it from being intercepted using Wireshark, there is no need to worry about SEO, trust, banking, etc. This is an internal server, and my own browser (based on WebKit) will be the client for it. Or, in general, the system will work over TCP.

In this case, is a self-signed certificate sufficient? Or will a purchased certificate have any real advantages?

And in what cases will it have them?

If the certificate is not signed by trusted authorities, web browsers will display a warning message indicating that "the certificate is not reliable!"

This doesn't impact the encryption itself. If you're using the connection only for yourself and a group of trusted individuals, you can simply instruct them to click "allow" and everything will work fine. In such cases, self-signed certificates can be used.

However, if the service is meant for public use, these warnings about an unreliable certificate may deter potential customers. In such situations, it is advisable to purchase a certificate that is signed by a reputable certification authority.

As for myself, I personally wouldn't opt for Let's Encrypt as a matter of principle (in fact, I haven't). It employs a rather questionable approach where you need to install a specific "client" that generates and manages certificates on your behalf. There's no guarantee that this client won't transmit your private key to unknown entities or engage in any other dubious activities depending on what it can access.

The purchase of a certificate involves the acquisition of a confirmation on behalf of a recognized and trusted office, ensuring that the certificate holder is indeed the intended recipient. This is a significant responsibility, as any breach in trust can have severe consequences. Consider the incident with StartSSL/WoSign, where their actions led to a loss of trust.

Interestingly, individuals rarely issue certificates for themselves unless there is a need for public validation, as seen with iLO's web interface generating a "basic" certificate. On the other hand, corporate CAs frequently issue certificates for internal use.

When purchasing a certificate, the confirmation received guarantees that the individual named in the certificate is genuinely who they claim to be. This assurance is provided by the issuing CA, whose authority lends credibility to the certificate. Attempting to create a counterfeit dоcument, like writing "Passport of a citizen of all Russia" on a piece of paper, would not be believable without the trust in the responsible authority.

Trust in CAs varies, with some being more trusted than others.

In your situation, a self-signed certificate is sufficient. The only difference from a certificate obtained from a trusted certification authority is the level of trust. This means that the operating system, browser, and applications are not aware of the certificate issuer and do not automatically trust it. If you don't manually indicate that this certificate is trustworthy, you will receive a certificate error warning.

If you have multiple websites, I suggest creating a small unified repository and using it to sign certificates for all your sites. This way, browsers only need to trust this single repository instead of each individual certificate.

A UTS can be established using any free PKI infrastructure. There are many convenient and easy-to-install options available.

In the case you described, if your goal is simply to encrypt traffic and protect it from interception using Wireshark, a self-signed certificate should be sufficient. A self-signed certificate allows you to establish an encrypted communication channel between your server and client, ensuring that the data cannot be easily intercepted or tampered with.

However, there are certain advantages to using a purchased certificate in some cases. One advantage is trust. Most web browsers and operating systems come pre-installed with a list of trusted certificate authorities (CAs). When you use a purchased certificate from a trusted CA, the browser or operating system automatically recognizes and trusts the certificate, displaying a padlock icon or other indicators to assure users that the connection is secure.

On the other hand, when you use a self-signed certificate, the browser will display a warning to users that the connection may not be secure because it cannot verify the authenticity of the certificate. This warning may discourage some users from accessing your website or using your services.

Therefore, if trust is important for your application or if your goal is to provide a seamless and trustworthy experience for your users, it may be worth considering a purchased certificate from a trusted CA. Additionally, if you need to comply with certain industry standards or regulations, they may require the use of trusted certificates.

Considerations when deciding between a self-signed certificate and a purchased certificate:

1. Compatibility: While modern web browsers generally accept self-signed certificates, older or less common browsers or devices may not recognize them. Purchased certificates from trusted CAs are more widely recognized and compatible across various platforms and systems.

2. User Experience: Using a self-signed certificate may result in a less seamless user experience due to the warning prompts displayed by web browsers. This can potentially confuse or discourage users from accessing your site. With a purchased certificate, users will see visual cues indicating that the connection is secure, enhancing their trust in your website.

3. Extended Validation (EV) Certificates: If you require a higher level of verification and authentication, such as for e-commerce or financial transactions, EV certificates provide the highest level of assurance. These certificates display the company name in the address bar, giving users increased confidence in the legitimacy of your website. EV certificates are only available through trusted CAs.

4. Customer Confidence: When users see a trusted CA's name associated with your website, it creates a sense of trust and legitimacy. This can be especially important for websites that handle sensitive information like personal data or financial transactions.

5. Cost and Renewal: Self-signed certificates are free, while purchased certificates typically involve a cost. Consider your budget and evaluate whether the advantages of a purchased certificate outweigh the expense. Keep in mind that purchased certificates also require renewal after their validity period, usually on an annual basis.

In summary, if your primary focus is encryption and your target audience is understanding of the implications of self-signed certificates, they may suffice for your needs. However, if trust, compatibility, user experience, and industry compliance are important factors, investing in a purchased certificate from a trusted CA might be worth considering.

A third party known as a certificate authority (CA), who is empowered to verify the applicant's identity, creates, signs, and issues a self-signed certificate, whereas a CA certificate is created, signed, and issued by the subject of the certificate (the entity it is issued to).