So let me put it clear from the first line: trusting invalid certificates is wrong.
And now I will explain why it’s wrong and why there are few excuses for it.
We are talking here about certificates for SSL encryption, which serves basically two purposes:
- Privacy — data is transferred encrypted and can only be decrypted by the intended recipient and not a third party wiretapping the line.
- Authentication — making sure the receiving end that will be able to decrypt the data is who they claim to be and data is not diverted to a different receiver by a third party with access to manipulating our transfers.
Invalid certificates obviously defeat the second purpose of verifying the other end’s identity: