I find it curious that the people complaining about this don't instead install valid certificates. That was routine for us even a decade ago because otherwise you're literally training your admin staff to ignore errors and enter sensitive passwords every time a security warning pops up.

That's never good and it feels dangerously close to professional negligence when it's a password which gives privileged access to a server.

EDIT: just to be clear, I don't think this is “these people are crazy” so much as “what reason is good enough to justify leaving yourself exposed like this?” Even the cheap devices I bought in the early 2000s allowed you to install SSL certs and installing something real was a routine part of the first-time install.

People probably don't install valid certificates because they can't. Consumer routers (think Linksys) are locked-down devices and things like SSL certificates are baked into the firmware. I'm curious what sorts of cheap devices you bought supported custom certificates; were they consumer-oriented? (That wasn't rhetorical; actually interested.)

Personally, I usually end up using plain unencrypted http instead, which is a net negative in terms of security (doesn't even protect against passive adversaries), but that seems to be what the SSL implementers prefer.

I've definitely run into consumer devices which allowed me to upload an SSL cert somewhere in the advanced settings but mostly I was thinking about the people on the bug commenting that their enterprise network, server management, etc. gear had bad certs. Even in the late 90s you could do this because .mil/.gov and many corporate purchasing contracts tended to require it.