> But with respect to impostors and men in the middle, they're equivalent.
Sometimes. But usually not... The most valuable thing about a self-signed certificate from my point of view is that you can detect when the cert changes -- so if someone hijacks your connection to a site you've used before, you *know*. This describes the vast majority of sites that I trust with sensitive information -- I have a relationship with them! And even if your first visit to some site gets hijacked, whenever you visit that site again later you will at least discover that it happened (because the real non-hijacked connection will use a different cert than you're expecting).