If you perform certificate pinning, self-signed can be just as secure. I wish the message was slightly less scary, perhaps saying as SSH does, "you've never visited this site before, do you trust this certificate?"
I can teach my computer illiterate grandma simply "never do email unless the address bar is green", she can remember that.
As opposed to: Never do email unless unless the address bar is green, except when:
- It's the first time you visit the web site
- You use another browser
- You bought a new computer/tablet/phone, reinstalled your computer etc.
- You accidentally cleared your browser history
- You are on a public wifi the very first time you visit a web site.
- The website changed their certificate since last time you used it.
- You happen to be unlucky and even at home you are under a MITM-attack the very first time you visit the page.
The last bullet is especially troublesome because even a programmer would have a hard time to judge that one.
