[ithkuil]

A certificate is needed basically for two reasons:

1. the user has to verify that the site is actually run by you and not by somebody spoofing your site. Somebody could make the user believe he's clicking on your's sites "pay" button, and instead he's sent to a fake paypal site, or a real paypal site with a similar account.

2. once the browser knows that you are you, it can securely encrypt che connection. This is useful if your webapp also requires password login etc.

Note that encryption is also possible without a trusted certificate (i.e. verified by the 'certificate authority' mafia^H^H^H^H), but at this point, albeit almost impossible to decypher once established, it remains vulnerable to the 'man-in-the-middle' attack, intercepting the key exchange with your site, or simply a spoofing as described in point (1).

EDIT: when I said "the browser knows that you are you", by "you" I mean "you" the server, the webapp

[gilaniali]

So then will a self-signed certificate work or do I have to use one from a vendor such as godaddy?

[ithkuil]

self-signed certificate will just make your user furious, because recent browsers display very annoying alerts (especially firefox).

self-signed certificate will allow you to encrypt, but it's not secure.

Unfortunately you are bound to get a certificate from "vendors" that ship bundled with the major browsers (if godaddy sells you a certificate then it's ok).

Anyway, just a link for an utopic world http://www.cacert.org/. I don't know if something like cacert would work in the real world, but certificates are about trust, not about money.