Certs and SSL

I have been googling and researching this subject and I didn't find much about it in DevShed and I just thought I'd share what I've found. Please shoot holes in anything I've said that's wrong.

http://www.faqs.org/docs/Linux-HOWTO/SSL-Certificates-HOWTO.html

is a clear description of how SSL and certs work at protocol level.

There are two components to it: the encryption part which is technical and explained in the link above, and the certification part which is required, but has a more human networky component to it. The certification is what you pay for when you buy a cert. Basically it is an affirmation by a trusted third party that you are a legitimate business person and you will use the sensitive data in a responsible manner. Because if you are evil, you could encrypt and decrypt sensitive credit card information over the network til the cows come home, and then when you decrypt it on your end, it's like well heh heh heh sucker.

OK now we get to products:

Godaddy has one for $30.
They claim it's equivalent to
Thawte's $149 product. Their $30 one only certifies
domain. GoDaddy also has a $90 one actually does some verification about the company, the person you're doing biz with, that's what you pay for. Thawte's equivalent product costs $200. Another companyI okked at is comodo who have a cheap $50 product.

Heck you can sign your own cert for $0, but that's wanky and
causes warnings for users. Their browser will say
yes monotreme certifies this is monotreme and controls
mydomain.com and their browser will say yeah well who the f--- is monotreme?

From a technical point of view they both encrypt
whatever sensitive data you direct through SSL.

The only difference that I can see is that by using
Thawte your cert goes directly to a CA that has built in trust of
almost all browsers. When using the GoDaddy you have to install an intermediate cert that POINTS to one of those, so getting the cert checked by the browser is a 2 step process, a little slower I guess.
Not a big concern for me as long as it works.

My thinking is this: if you just have a login or something you want to encrypt, you could go with the cheap product because that login is only useful on your site anyway, so all you're needing is avoiding anybody sniffing it. If you accept CC, that data could be used in bad ways in the outside world, so the user wants some assurance that YOU are not a bad guy who is going to do something bad with it. Sniffing is irrelevant, because obviously YOU can decrypt the data. If you take CC you *should* theoretically have the more thorough verification process.

Now we get to the mystery of users: do end users normally really think about the difference between domain only and more thorough certification as long as the url has https in it and the browser accepts the certificates silently and in the background? I know I never did!
(but I will from now on.)

I'd like to hear anybodys ideas & experiences on this
particularly if anyone went with the cheap option and felt they lost sales because of it. I need to buy some sort of product in the next few days, and I do need to receive and process (but not store) CC data for a payment gateway so it will need to come to my site.