Re: Slightly off-topic but
>>"It makes no sense to me that browsers treat a self-signed certificates as worse than no encryption at all. It still protects against passive eavesdropping, isn't that better than nothing?"
It is better than nothing at all in a technical sense. But if it introduces a false sense of security that could be worse. An incorrect certificate is a major warning sign. If a browser takes a self-signed certificate as just a lower-level of security, it would be quite easy to pass along a fake certificate and the browser will just shrug and change the icon from green to orange or whatever - something a user will have become habituated to ignore through all the cases where self-signed certificates were legitimately used.
To counter that, you'd have to check every self-signed certificate you got against all CAs just to see if they actually had a legitimate alternative registered with them. And whilst I haven't thought that through, I can already think of some significant attack vectors that would open up.
Biting the hand that feeds IT
