Self-signed SSL certificates are most likely to be counterfeited and forged and used by fraudulent websites.
Self-signed SSL certificates can be released at will without any supervision. You can send it yourself or someone else can send it yourself. If your website uses a self-signed SSL certificate, hackers can also forge an identical self-signed certificate and use it on phishing websites to forge a fake online banking website with the same certificate!
Authoritative CA institutions accept the audit and supervision of international standards organizations and cannot issue certificates at will. Only by strictly authenticating the identity of the applicant can the only certificate in the world be issued, and there will be no forgery. Regular SSL certificates support all browsers, and the built-in reliable verification mechanism of browsers can automatically identify the real information and certificate status of SSL certificates. If the domain name bound by the certificate does not match the actual domain name, or the certificate has been revoked or expired, the browser will automatically issue a warning to remind the user that "there is something wrong with the security certificate of this website", and the fake website has nowhere to hide!
When deploying a website with a self-signed SSL certificate, the browser will continue to pop up warnings.
The browser does not trust the self-signed SSL certificate. When a user visits a website with a self-signed SSL certificate, the browser will pop up security warnings constantly, which greatly affects the user experience.
Self-signed SSL certificates are most vulnerable to SSL middleman attacks.
When a user visits a website with a self-signed SSL certificate, the website usually tells the user to click "Continue to browse" when encountering a warning prompt from the browser, and the user gradually develops the habit of ignoring the warning prompt from the browser, which gives an opportunity for man-in-the-middle attacks and makes the website more vulnerable to man-in-the-middle attacks.
The typical SSL man-in-the-middle attack is that the man-in-the-middle is in the same LAN as the user or server. The middleman can intercept the user's data packets, including SSL data packets, and make a fake server SSL certificate to communicate with the user, thus intercepting the confidential information input by the user. When the website is replaced by a fake SSL certificate, the browser will warn the user that the certificate is not trustworthy, and the user needs to confirm whether to trust the certificate. Users habitually click "continue browsing", and man-in-the-middle attacks are easy to achieve.
The self-signed SSL certificate has no accessible revocation list.
This is also a common problem in all self-signed SSL certificates. It is not difficult to make an SSL certificate. OpenSSL can be completed in a few minutes, but it is not so easy to really make SSL certificates work. In order to ensure the normal operation of SSL certificate, one of the necessary functions is to enable the browser to check whether the certificate status has expired or been revoked in real time, and the certificate must have a certificate revocation list accessible by the browser. If the browser can't check the certificate revocation status in real time, once the certificate is lost or stolen, it can't be revoked, which is very likely to be used for illegal purposes and users will suffer losses. In addition, the browser will send out "revocation list is unavailable, do you want to continue?" Security warnings greatly extend the processing time of browsers and affect the traffic speed of web pages.
Self-signed SSL certificates support a long validity period, and the longer it takes, the easier it is to be cracked.
Another common problem with the self-service visa certificate is that the validity period of the certificate is too long, ranging from 5 years to 20 years or even 30 years. Because there is no cost and supervision in the production of the self-visa certificate, you can issue it for several years if you want. I don't know the basic principle that PKI technical standards limit the validity of the certificate: the longer the validity period, the easier it is for hackers to crack it, because he has enough time (20 years) to crack your encryption.