Re: Why can't we just purchase ......
Configuring an SSL/TLS appliance with a different server certificate - self-signed or otherwise - doesn't help with the FREAK attack. FREAK has two components: the relatively low cost of factoring now-useless export-grade RSA keys, and ways for a MITM to trick a client and server into using an export-grade suite.
When an export-grade suite is chosen, the server will provide the client with a second, short RSA public key, and the client will use that short key to encrypt the premaster secret. That short RSA key is separate from the public key in the server's certificate.
So the server could have a certificate with a 16 Kbit RSA key, and still be vulnerable to FREAK.
Of course, the larger problem with self-signed certificates is that they aren't worth the paper they aren't printed on. They mean nothing. They can be used to exchange public keys over secure channels with entities whose identity you've already verified, but that's a rather limited use case, and PGP/GPG is a better choice for that, since it also provides the whole keyserver-and-web-of-trust PKI infrastructure, which is flawed but better than nothing.
Biting the hand that feeds IT
