The only time self-signed certificates are insecure is if you don't verify the certificate signature. It is always necessary to verify a certificate's signature out-of-band. Usually that's done by a Certificate Authority (with pre-defined CA certs bundled with the browser), but certificate signatures can also be verified through other secure channels, eg. In-person, GnuPG message, OTR conversation, &c. I trust those three far more than any hierarchical PKI Certificate Authority !infosec !crypto