I'm using a self signed SSL certificate on the homepage for our prom. I know almost everybody who uses this website personally, so I can assure them that the certificate is trustworthy, even though the browser displays a warning.
The question is: If I use this self signed certificate and my classmates visit the website anyway, are they less safe from hackers, malware attacks a.s.o?
The website doesn't require highest security: The only purpose of the website is for chatting and for ordering tickets; the payment doesn't happen on the website!
EDIT:
When you enter a not encrypted website, no warning is displayed. Does this mean no encryption is better than self-made encryption? I don't think so!
Best Answer
A self signed certificate provides encryption like a normal certificate. But it does not provide the usual identification. But proper identification is essential for HTTPS, because otherwise impersonation of a server and man in the middle attacks are possible, which in effect make the encryption useless.
You can provide a proper identification with a self-signed certificate too by giving everybody who likes to connect to your site the up-front the essential information which certificate should be expected, i.e. by giving the certificate itself or the fingerprint. Of course you must give this in a secure way (i.e. not in-band during the connection). You should also somehow make sure that the other one actually compares the certificate it gets to the expected one instead of just simply clicking through it. This works if only a very few people will visit the site but will not scale with more visitors.
Another problem with certificates not issued by a public CA is when SSL interception is done. This is often the place in companies but also several antivirus products do it. In this case sites using a certificate which cannot be verified will often simply be blocked by the SSL interception and one would need to explicitly add exceptions.