I just enabled HTTPS on my blog.
But rather than pay the ~$50/year cost of an SSL certificate, I instead opted to just use a self-signed certificate.
As somebody who works in the field of PKI, this would almost be blasphemy, but I did this for 3 reasons:
- The blog will be normally presented via HTTP. HTTPS is unnecessary for the content. It’s just a blog after all. The HTTPS capability is purely for the administration portal.
- I trust the self-signed certificate on my machine. If somebody attempts to intervene and present a different one, I’ll get the standard certificate mistrust warning, so I’ll know something’s up.
- I’ve spent enough money this month.
I can revoke the certificate any time, simply by removing trust.
PKI is designed to allow others to trust me via some trusted authority, and vice-versa. In this instance I am the trusted authority, and after all, I’m simply just trying to ensure my connection is private for authentication purposes, and I don’t need others to have trust.
I may purchase a certificate in the future, simply to allow for protecting my external content from manipulation, but I don’t really see that as a threat at this stage.