I'm sorry if this is the wrong place to put this, but since I normally code in C#, and my potential solution would involve using C# I figured this would be the best place to start.
I've been given a task at work to allow our customers the ability to transmit confidential record information from their office to our in-house, or possibly a new cloud-based, server.
I have been rather adamint that to transmit said data, a SSL certificate must be aquired by us through a third party. But I'm wondering if that really is true.
The more I researched SSL certificates the more I've come to realize that all they really are is one company vouching for another. The encryption (even on an expired certificate or on a self-signed certificate) works and the encryption is just as secure as one that isn't. Sure, the user is presented with nasty icons and red screens showing that "hey! this may not be safe!" But if the user doesn't visit a "https" prefixed website and only visits a "http" website, what would be wrong with encrypting data client-side, submitting it to our server, decrypting it server side and vice-versa?
Encryption is encryption right?
Or what if a WinForms app was created that did the same as above? Encrypt data, submit it to our servers and the servers decrypt it.
I just can't justify paying thousands of dollars a year to have Verisign, or whoever, issue us a certificate when 99% (I'm willing to bet) of the users on the internet don't even bother checking the validity of the certificate.
I obviously want to make sure everything IS secure, and I'm not downplaying the role of SSL certificates or keeping things secure, but I just fail to see the logic behind aquiring one, if the same type of encryption can be achieved in-house with better control and, if you ask me, better security.
Any thoughts or opinions?