All depends of the nature of your site, and your budget. If you are a bank, you should (for not saying must) get the Greenbar. If you are an e-commerce site, and if you have the budget, a Greenbar, is always better, it might not bring more sales, but it's adding trust into your business. The Greenbar, basically shows your company name, before the URL. It's way a to verify that the site you are visiting really belongs to who you think. For example, go to Paypal, and you'll see Paypal Inc. Go to some fake Paypal site, and you will not see this greenbar mention.

As for the assurance, I am not sure exactly, so I won't comment. But I "guess", it's some kind of guarantee that if money are hijacked because of a problem with the SSL certificate you are covered up to a given amount. But I can be totally wrong.

Now the Greenbar is not mandatory at all for an e-commerce site, and all other kind of certificates will do the work.

About free certificates, I would recommend to check Let's encrypt. Their certificates are free for all , and for all kind of usage (some free certification authorities have limitation to the use of their free offer, be careful). Let's encrypt has certificates which need to be renewed (free) every 3 months, but now , there are all kind of tools, which can do the renewal automatically. Also, Let's encrypt doesn't need any registration.

Assurance relates to the level of certainty you give users (and, consequently, organization vetting), from simple domain validation up to extended validation. There's also insurance, which supposedly protects you from damage claims as a result of faulty encryption, but this seems to be more of a marketing strategy. The insurance coverage usually gets higher when the certificate gets more expensive, suggesting that a more expensive certificate is somehow also more secure, but the encryption is the same as with a cheap (or even free) certificate.

You choose based on the level of assurance you want to give your users. I've only ever used domain validated certificates.

Thanks for the response guys. So I'm no bank (I wish I were LOL) and I'm not handling any financial transactions. Simply user accounts.

Greenbar - not needed
Warranty - not really relevant or needed
Assurance - arbitrary marketing blah blah.

So then is there a difference between the cheap certs that are out there for like $10 or $20 and free cert from a service like Lets Encrypt?

I use perfectly good $3.99 domain validated certificates on sites where there is no transactions or logins other than mine are involved. They get the Green padlock which is all I am aiming for. Initial purchase was for 3 years, then they notify me or I can check at my acct.

At first I get one SSL at Namecheap, I think it was $10. Then, when Let's encrypt appeared, I tried them, and now, I use Let's encrypt. I don't see any difference at all. Excepting that with Let's encrypt, I run a script which automatically renew the certs every 3 months. So I use several scripts for all kind of purpose. But, you need to run a script / program with Let's Encrypt , which generate and download the certificate. While with paid services, you retrieve the certificate files on their site and copy them into your server. The first method (Let's encrypt) is more convenient, if you have the possibility, knowledge and skill to execute command line (I think there are tools existing now to make it simpler, I started using them when they were in beta, so it was a bit awkward :)

So then is there a difference between the cheap certs that are out there for like $10 or $20 and free cert from a service like Lets Encrypt?

Certificates need to be renewed quarterly and automating that may require some additional tech-savviness (unless you have a web server or control panel that can do this for you), but the certificates themselves are of equal value.

Have a look at the Let's Encrypt client implementations: [letsencrypt.org...]

@Peter_S Those were the exact options I was considering. I going to Let's Encrypt option a try. There is detailed tutorial explaining how to do it.

I just set it up with Lets Encrypt. Everything appears to be working fine. I get the little green pad lock, and http is redirected to https.

Except it doesn't work in Opera for some bizarre reason. In every other browser I have tried it works, except Opera.

Is that a reasonably recent version of Opera you have? They don't even list Opera in the compatibility list [letsencrypt.org].

Works just fine on Opera 44, but that's the latest version.

I use Lets Encrypt and tested with Opera. I don't remember the version but it was older since I haven't updated in well over a year. Anyway, if I remember correctly, it supported the lock symbol.

Each browser has a different version of the lock; some green, some gray.

Opera 43 the last time I checked. But now the tab is read, so it looks like it going to get updated. I'll report back post update.

Okay I'm back, now running v44. But still not working.
When I click on the globe to get the details it shows an error "server's certificate cannot be checked"

@keyplyr Opera supports the pad lock, it just isn't working for my site.

Maybe run the site through the SSL Labs tool, see if anything comes up.

SSL Labs give the site a grade of "C" & "C". What does that mean?

That there's room for improvement :-) Details should be in the report. Any chain issues?

Yes chain issues were the problem.
I had set:

SSLCertificatefile /etc/...path/fullchain.pem

Fixed it with:

SSLCertificateFile /etc/...path/cert.pem
SSLCertificateFileChain /etc/...path/chain.pem

I also corrected the other suggestion from SSLabs such disabling SSLv3 and RC4.

My score is now A.

Thanks for the input!

Muy bien! Welcome to the HTTPS camp.

NickMNS - does your server support HTTP/2?

I'm not sure I'm running Apache 2.4 on Ubuntu 14.04.

I don't know Apache, but I guess there is some kind of module to load.

In all events, you can check at this site : [tools.keycdn.com...] if your site is http/2 (and if it supports ALPN).

With Google Chrome, in the developer tools, on the Network tab, you can right click on the columns to add the "protocole" column. It will tell for each request, the protocol used. I don't know why, bu there are "several" variants. There is "h2" or "http/2" I don't know what's the difference. With Nginx + http/2, Chrome says "h2".

@Peter_s the site is not http/2 out of box. But just do be sure I checked using your Chome Dev tip, Thanks for that!. But no it is not http/2

@NickMNS - Apache 2.4.17 has the mod_HTTP/2 but needs to be enabled: [blog.samat.org...]

Works on Ubuntu 16. Don't know about Ubuntu 14

I use Lets Encrypt and tested with Opera. I don't remember the version but it was older since I haven't updated in well over a year.

Well over a year, or well over a decade? ;) My host has a lengthy blahblah about older browsers not supporting Let's Encrypt unless you also get a unique IP--and who wants to do that just to make it easier for Russian robots to visit?

It's not the cert that older browsers *had* problems with, it was the lack of SNI (server name identifier)

And your host now has added SNI to your server :)

And your host now has added SNI to your server

You mean they added it the first time someone on that server went to https, or you happen to know (heh-heh) that it has already been added?

I was surprised to find that it went into effect instantly--that is, I waited a few minutes and then requested https://example.com and got right through--instead of taking hours or days to propagate. At some time when I wasn't paying attention, the server must have started listening on port whatever-it-is (uh, 443?); I know that the last time I tried, maybe last year, there was nothing but dead silence, followed after many minutes by a “can’t find the server” error message. Now my other sites instead get a browser warning saying the certificate isn't configured correctly. (Er, yes, that would be because it doesn't exist yet.)

And yup, as promised, there are now two sets of logs, one for http and another one for https. I guess that means I need to add a line to the canonicalization redirect.