By self-made https certificates, I mean one of the two kinds:
1. A self-signed certificate
2. A certificate issued by an unknown CA, for example, the certificate of https://www.12306.cn is by the CA of China’s Railway Department.
Will there be security issues? Yes, there is a big issue, but you can work around it in some cases.
The major security issue is privacy problem when there is a DNS trick. Take 12306.cn as an example,
1. You visit 12306 with a browser. Due to the DNS trick, you are actually visiting the attacker’s https-based website which looks like 12306.
2. The browser then warns that the certificate is not valid. At the same time, the fake 12306 tells you to download the self-made certificate and import it to your browser, just as the real one does.
3. If you choose to ignore warnings and go on without importing any certificate, you are now talking to the attacker with sensitive information. You are in danger.
4. You may also choose to download the self-made certificate, do the importing since you the real 12306 does that. After the importation the warning disappears. What you don’t know is, you just download a fake certificate made by the attacker. If you go on with this site your information get leaked.
If 12306 doesn’t uses an unknown CA, when you are under DNS trick and visiting the fake 12306 site, you will see a security warning which you don’t expect. You are safe.
How to work around this problem if the server company cannot afford to pay a mainstream CA? If you have got 12306’s authentic CA certificate before hand, for example, you have a friend working at that site and he gives you the real certificate with a USB stick, and then you import it before you visit the site, you will expect to see no warnings. When you visit the fake 12306 in this case, the browser will show warnings because the server-side certificate used by the fake 12306 will not pass the test of the authentic CA, which you have imported in the first place.
The same rules apply to a site which uses a self-signed server-side certificate instead of a self-made CA certificate.
Also, if the 12306 were inside the intranet that you totally trust, you wouldn’t worry about this problem at all. That’s why intranet sites often use self-made certificates.
In the case of Internet site, you can see that “a friend working at the website’s company” is the key factor to work around this problem. That is, if you can get the real certificate before hand, then you are safe. This is how C/S interactions work with self-made certificates. Take an Android program for example. The server uses a self-signed certificate, and the Android app packages this certificate file before it is being run. Things will match during runtime.
Speak of Android, or other client-side programs, it is important not to go for the “disable SSL validation” approach. In Android or Java, this is normally done with a “trust-all” security manager. If you go this way and you get DNS tricked, you will leak information to the attacker’s fake server, because it is like “ignoring browsers’ warnings when visiting a website with self-made certificates”