Why not sign your own certificate[1]? Is there any reason to trust StartSSL? How do we trust any SSL company? They may well be giving private keys to the NSA, especially if the certificate is free.
[1] To clarify I mean for personal use like securing your own servers for your own use.
I use my own certificates internally, of course. I just want to prevent eavesdropping, so it's good enough, and I'm sure the NSA doesn't have my keys.
The problem is, of course, browsers won't have you as a trusted root, therefore displaying a warning to the users. That's not acceptable for a public facing site. We have to trust someone here to give us a certificate.
Because then we start training users to just ignore those warnings about self signed certs and effectively destroy SSL because man in the middle attacks are made easy.
and I just saw your clarification. Who doesn't use self signed for that?
For that matter, you can do that within and organization and just push out your CA cert company wide. Save some money.
The free SSL certs are maximum 256bit keys. As pointed out in Cloudflare's blog post yesterday, a 2009-era PC could crack a 512bit SSL cert key in 73 days. Todays machines would make mincemeat of such weak certs.
I'm confused. I thought StartSSL only supported 256 bit certs, and their website does mentioned that, but the linked article mentions generating a 2048 bit key which gets signed by StartSSL.
[1] To clarify I mean for personal use like securing your own servers for your own use.