One of my top pet peeves in my field is the use of self-signed SSL certificates for public web sites. I have no issue with using self-signed SSL certificates for a development environment or something internal, but when you have outside users, you need to show them that they can trust you. Just today – I got a “secure” email from my student loan company (which first got marked as junk). When I clicked on the URL in the email (https://securemail…) I got the error message “certificate was signed by an unknown certifying authority”. My blood began to boil.
A. You have all kinds of personal information about me, my loans, etc and you cannot pay $199 a year to get a certificate that my browser recognizes and trusts?
B. You make an extra effort to send a “secure email” to a “https” (secure) site, and choose to setup a “securemail” sub-domain – and when it comes to the certificate, you skimp? Wow.