honestly, it sounds like you should unplug the ethernet cable Image may be NSFW.
Clik here to view.
In your scenario, your "members" would have to go and specifically tell their program/browser to ignore security checks when connecting to your service. So, you are actually reducing your security because you are training members to blindly click through the ssl warning message... so in the future, if someone DID spoof your server, you are making their job a lot easier - your users will get an SSL warning that the cert is not trusted, they will blindly click through it and give the attacker all their data.
In an attempt to build taller walls, you burned down your castle.
Also, it is not possible to "evesdrop" on SSL connections. It's by design - they are encrypted and to date, have not been broken by any government agency or individual (seriously, it hasn't. The internet would be in chaos if something so central to the internet ceased to function). You can surely collect SSL data, (which the NSA is doing), but what can you do with a bunch of highly encrypted packet data?
Well, you can try to decrypt it. Encryption is not and never was meant to be always secure... the point of encryption is to make it infeasible with current technology and computing power, to crack it. We have only recently been able to break 64 bit encryption, let alone 128bit or 256, 512, etc. So by the time we can easily crack 128bit encryption, the data it was protecting will likely not be relevant anymore (statute of limitations run out, dated info, old passwords not in use, etc).
Unless there is a Man-in-the-middle attack or similar, which I already mentioned you made easier for the attacker, then you are ok with a CA signed cert.
Just to be straight up with you -- self signed certs are almost always used as a cost savings, not for any technical or security related reason. But, since you can pickup a Godaddy SSL cert for as low as 12 USD, then it's not much of a savings anymore given the added administration overhead it implies.
