What's the deal? Why don't they have a legitimate certificate?
Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.
The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.
Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.
This is only partly correct. While you can generally trust a self signed certificate to establish an ssl connection, haphazardly allowing the self signed paypa1.com to get the immediate go-ahead from a browser is a terrible idea. The warning pages are essentially asking users:
are you sure you know what you are about to fucking do? If anything, browsers are too lax towards established certificated authorities.