Don't forget too that most browsers will poll the user whether to accept a self-signed cert for the page the user's trying to load, but will simply fail when a service in that page tries to pull data over SSL from a domain with a self-signed cert. Flash, JS, etc.
I've been experimenting recently with spreading out databases geographically and letting clients (and to a lesser extent, DNS) do the bulk of the load balancing on data-intensive projects. I've gotten some great results. But right now, users would have to pre-visit a page at each data site and approve it in the browser. Or I could get a massively expensive wildcard cert and then make A-records for each of those sites, but I'd rather just access them straight through their IP addresses for speed.
The whole thing just irks me. All I want to do is make sure this line is encrypted between the end user and their ISP. That should be mandatory these days; but instead I have to pay for a cert on every single DB server?!
I've been experimenting recently with spreading out databases geographically and letting clients (and to a lesser extent, DNS) do the bulk of the load balancing on data-intensive projects. I've gotten some great results. But right now, users would have to pre-visit a page at each data site and approve it in the browser. Or I could get a massively expensive wildcard cert and then make A-records for each of those sites, but I'd rather just access them straight through their IP addresses for speed.
The whole thing just irks me. All I want to do is make sure this line is encrypted between the end user and their ISP. That should be mandatory these days; but instead I have to pay for a cert on every single DB server?!