views:

392

answers:

1

How secure is it to use self-signed certificates? As far as I understand it, an attacker could pretend to be my server if I don't have a certificate from an authority. Is this much of a risk?

Should I buy a certificate for Subversion?

+8  A: 

There's no real harm in using self signed certs for in house projects as long as everyone is aware. From a security standpoint you may want to distribute the cert to your users so that they can ensure it's valid when they make the initial connection. There's no reason to pay for a cert in this case. A self signed cert provides the same level of cryptographic protection as a paid cert it just isn't automatically trusted by the client program.

Mykroft
A slightly more extensible solution is to create and distribute a company's own CA certificate. You can then issue as many certificates as you want to various servers in your company without having to distribute the certificates.
Alexander