Self-signed TLS certificates are not evil, nor they are "broken"

One more hopeless rant I was engaged in, like, for last 20 years or more. What is totally broken, however, is UX decisions that mark them «evil». Self-signed TLS certificates possess no more intrinsic evil qualities than your beloved ssh and gpg keys.

The intent behind ostracising self-signed certificates is noble: everybody should do… should be forced to do things the one proper way: for intranet you should deploy our own private root CA and distribute its certificate to all the clients, for internet there are affordable solutions like letsencrypt to save you from calamities of certificate management and huge expenses.

Yet it is nothing but wishful thinking and thus is rotten to the root. Every, I repeat, every single company network I ever seen (with a few exceptions that qualify as hobbyist projects) had tons and tons of self-signed stuff, regardless if they had internal CA or not. Most of it was just «temporary» yet you know most permanent things are those «temporary» ones. Smaller companies just do not have an internal CA at all.

(I intentionally leave out the question if it is always a good idea to get a «trusted third party» involved, and, moreover, to give infinite total trust to vast and vague amount of «third parties», for now at least)

We need to accept this situation, understand it and adapt accordingly. The pretty narrow vulnerability window for a self-signed certificate exists just for the very moment you engage into an «initial» contact with the resource (or when the certificate changes, which is quite uncommon scenario). If no evil actor intervened at this moment you are safe from now on; there are numerous scenarios where there is actually no need of any trusted third party. The same way it works with ssh (unless you deployed that complex set of scripts, you know). Oh, no. You would be safe, if that stupid broken UIs did not complicate things, distracting you with a flood of pointless warnings that never stops, effectively concealing the actual attack when it happens.

For now, however, we see a lot of totally unprotected resources susceptible to MITM attacks because you know, self-signed certificates were proclaimed evil and you should not use it anyway, mkay? And that's why nearly all small/home office wireless environments are contaminated with hideously misdesigned WPA2 PSK (until we have WPA3 on the horizon), because WPA2-enterprise requires complicated «certificate management» — you cannot just say «remember this access point» on the client and no vendor bothers to have a builtin Radius server on the wireless controller therefore.

Every time I add a self-signed certificate to Safari I get a scary dialog about «changing my trust settings» which always makes me doubt — did I just add a site certificate to the trust store? Or was it Honest Achmed's root CA that I granted with full permissions right now? With current workflow it is hard to tell.