It's better than plain HTTP if your browser will complain next time if the cert changes, because at least you're assured that if you weren't under attack on first visit, you're not under attack now. Displaying a huge error when the site has made some effort is ironic.
(The point of the error is that a normal, valid certificate means that some CA has vouched for the identity of the website. When it's some random website you don't care about, this isn't important. When it's your bank or a business, it is.)
Exactly so. This is the SSH model, and I love it. How does a CA's signature protect against phishing anyway? It doesn't. Equifax signs both the real site and the fake site.
Ian Grigg uses a self-signed certificate on purpose (he and I both have some unconventional views on the efficacy of CAs). In Firefox it's a simple matter to accept this site as a security exception. Now whenever I visit financialcryptography.com, I know I'm at the authentic site because I don't get a security warning. And that's without using a CA.
(The point of the error is that a normal, valid certificate means that some CA has vouched for the identity of the website. When it's some random website you don't care about, this isn't important. When it's your bank or a business, it is.)