Money isn't the problem. The problem is I'm currently based in China.
I've been unable to get a signed cert so far, and I'm not getting one from the Chinese cert auth (that's even more difficult and also insecure).
Also with regards security of self signed certs, it comes down to a question of who do you trust, me or verisign.
http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htmThe only issue is the warning that browsers pop up, makes people uncomfortable.
No, it does not come to a matter of trust between you or verisign. It's a matter of trust between anyone with access to your server, man-in-the middle, and/or verisign. A third party mitigates a man in the middle trust issue. The site you link to makes plenty of arguments for why you should be using a third party signed cert for your production environment.
Self-signed certs are more vulnerable to MITM because a user has no way to verify whether the original certificate or certificate changes are legitimate. A diligent user might be able to tell the difference with the use of other information but an average user will not. A third party will verify certificate changes for you, which makes MITM less likely to be a user "error" in trust. It doesn't fully "solve" anything other than user error (unless they are trained to expect self-signed certs from your site), but it is a must have for a service such as yours.
I don't know how much you looked around, but you can get very basic 1 year SSL certs for free at
startssl.com. It's a low assurance cert, but it would be sufficient until GLBSE becomes more important.
