In other words, what would be the security risk of not signing public key certificates by certificate authorites (from a user perspective)? I mean, the data is still encrypted... What could a man in the middle do with a non signed certificate?
In other words, what would be the security risk of not signing public key certificates by certificate authorites (from a user perspective)? I mean, the data is still encrypted... What could a man in the middle do with a non signed certificate?
The purpose of SSL when used with HTTP is not just to encrypt the traffic, but also to authenticate who the owner of the website is, and that someone's been willing to invest time and money into proving the authenticity and ownership of their domain.
It's like purchasing a relationship, not just encryption, and the relationship instils, or assumes, a certain level of trust.
That said, I asked a similar question a few months ago, and the basic answer that came back was "SSL is a bit of a scam"
Imagine a situation where you are to deliver $1,000,000 to a person named John Smith you have never met or communicated with. You are told you can meet him in a crowded public location. When you go to meet him you will need some way to be sure that he is actually the person you are looking for, and not some other random person claiming to be John Smith. You might ask for some government ID, a business card. You might ask a person you trust who has actually met the John Smith for help identifying him.
A self-signed certificate uniquely identifies a system, but it doesn't do anything to prove that the system is who it claims to be. I can easily self-sign a certificate and claim to be serverfault.com, google.com, or yourbank.com. Certificate Authorities basically act as a third party that is trusted by the client to verify a certificate is actually valid for the name the site claims to own.
The SSL business is indeed a bit of a scam. More than a bit, in fact, when you're paying about 20p per byte for some cryptographically-interesting data. What you're paying for is for whichever CA you use to sign your certificate with one of their private keys after proving to themselves that you are indeed entitled to use the domain/host name that the certificate is for. As Farseeker says, it's a trust relationship - the CA trusts you (after they've vetted you), the world's web browsers trust the CA (usually), and therefore the worlds web browsers will trust your cert. And don't get me started about Extended Validation...