Is my SSL connection encrypted if the certificate isn't trusted?
SSL consists of two major parts:
- the encryption of the data
- the validation that you are actually talking to the expected server
If you get the warning about an untrusted certificate than the encryption will still work, but you cannot be sure that you are talking to the expected server. This means a man in the middle attack might be possible where an active attacker will decrypt, sniff, and re-encrypt the traffic. That is instead of this:
Browser <----------- encrypted -----------------------> Bank
you get this:
Browser <-- encrypted --> Attacker <--- encrypted ----> Bank
In this case the attacker can sniff all data (passwords etc) and even modify the data and the client will not notice it. The connections are still encrypted, but not end-to-end (browser-to-server) but browser-to-attacker and again attacker-to-server.
Usually you should not override the warning by the browser because chances are high that there is a man in the middle attack going on. Only in the case where you know that the certificate is the expected one (verify fingerprint, not just the subject of the certificate) you can override the warning.
Note that there are cases of legal man in the middle attacks, i.e. SSL interception done by antivirus proxies or by middleboxes (firewalls) so that these can analyse the encrypted traffic. In this case your computer is either automatically configured to trust these certificates or you need to explicitly import the proxy-CA which signed the new certificates. If you are having such kind of problem while using your own computer inside the company please ask the network administrator how you should proceed and don't simply accept the certificates.
Your connection is encrypted, but unless you do manual verification of the certificate, you are not sure who is the peer you are connected to (which by definition would be able to eavesdrop on the connection). This is the so-called person (or man) in the middle attack.