But how do you validate the certificate in a cryptographically secure way ? Do you verify certificate fingerprints out of band with the service provider ? or Trust On First Use (TOFU) as @navigium suggests. Self signed protects against a passive attacker, but without some validation technique a simpler attack path for the active attacker