Is it possible to prevent man-in-the-middle attack when using self-signed certificates?

Question

I\'m not sure is similar question has been asked before (I couldn\'t find any), but is it possible to protect Client/Server from Man-In-The-Middle attack?

I\'m writin

Answer 1

If you can protect your private keys well enough, a middleman will not be able to masquerade as you, assuming the user actually looks at the certificate. The problem with self-signed is that if you want the user to add the exception to their browser, or just ignore the warning, then you are exposed to man-in-the-middle attack, because anyone else may create their own certificate.

Of course, "protecting your private keys well enough" is not trivial at all. When you pay for a "Verisign" certificate, you're not paying for their software creating the certificate - you're paying for the security forces they have guarding the building in which the private keys are stored.