Certificates are, regardless of what sales people say, objectively pretty much all the same with regards to encryption. They all enable 'good enough' encryption, which really mostly depends on the configuration of the web servers, and somewhat on the capabilities of the browser. The US ban on exporting strong encryption was lifted some years ago, so today pretty much all browsers will support a 128-bit Twofish or AES encryption, if the server proposes this. (Surprisingly many servers still use 56bit DES, RC4 or other weaker schemes, due to ignorance of the sysadmin, or to lower CPU load on the server.)
The problem of long daisy-chained certificate trust relationships is also pretty much gone. Most browsers today have a fairly complete set of pre-installed trusted CAs. Open your browsers cert UI to see yours (Firefox 3: Tools > Options > Advanced > Encryption > View Certificates).
From time to time you can find promotions where resellers offer Comodo, Digicert or similar certificates for ~20 USD or so.
The level of 'trust' your site inspires in customers may be a consideration. Arguably, a Verisign site seal and the green Extended Validation bar in compliant browsers is better than a simple 128 bit encryption with a certificate from GoDaddy. It's hard to tell, it will depend a lot on your user demographics, age, computer literacy et cetera.
One thing: It can be beneficial to keep your DNS Whois information accurate, as it is a big part of how CAs verify you before issuing a certificate. I would imagine that getting your certificate from someone you're already doing business with, such as your web host / DNS registrar, is easier than getting verified by Comodo, Thawte etc.
So my proposal is to asses your users, and whether a more 'trustworthy' branding on the site seal will create more sales. And then do one of the following:
- Get the cheapest 128 bit certificate you can from a reseller / DNS registrar / whoever with whom you already have an account. Maybe investigate briefly who signs the Cert, and what the root CA is, but don't sweat it unless it is a pretty obscure CA chain.
- Get a Verisign or similar well-known (and bloody expensive) SSL cert with good brand value, and display their site seal prominently. Consider going for an Extended Validation cert.
The "Extended Validation" certificates add some value IMHO, because the browsers visually assure users that everything is OK with the green address bar, prominent company name etc. Unfortunately, these certificates are also expensive, and more annoying to get validated for.
Myth? Kind of.
There are 2 aspects that people often confuse. If you make a change to your domain name with your domain name registrar, for example changing the name servers, that is pushed to the name servers for your TLD (.com, .ca, .fr, etc). That's where the propagation comes into play. In years past, that could take hours or even days waiting for the registrar to take the information you provided, push that to their deployment servers which would update the TLD root servers twice per day. That's improved rapidly over the years and often times changes made to your domain name take take effect nearly immediately.
On the other hand, if you make a change to your DNS zone, like adding an A record or an MX change, that should take 'up to' as long as the TTL setting to be updated everywhere. That's not really propagation though, it's caching. Microsoft DNS, for example, defaults to 1 hour TTL.
With the caching, if you happen to use the domain name just before making a change, and the TTL is 1 hour, then it will take an hour for it to be updated. However, if you haven't tested anything with the domain name just prior to the change, then your change will be immediate for you. (i.e. add a new A record that you haven't tested with yet, and it will take effect immediately).
So, nowadays almost all changes will take affect within an hour (or whatever your DNS TTL is set for). The only exceptions are if a DNS server doesn't honor the TTL (spammers often don't), or if your domain name registrar's servers aren't updating properly to the internet and you make a registrar level change. That isn't often though.
Best Answer
This is normal - they should have warned you though - and you should expect interruptions for at least the next day (if you're lucky; and the next month if you're unlucky).
Older versions of SSL require their own IP. SNI is a "modern" technology that lets multiple sites share an IP, in the same way that standard HTTP can share via Virtual Hosts. SNI has about 80% support however, and 20% is enough to guarantee that no major hosting site will support it. So when you implement SSL, you require your own IP address (you're probably paying more for this too).
Since you're switching IP addresses, it will take time for anyone who has the old IP cached to grab the new IP. Your TTL is 4 hours, so anyone who hasn't visited your site in the last 4 hours should be working now. Some DNS servers don't play by the rules (and it's too hard to identify them to do anything about it - as much as I'd really like to) and will cache your entry as long as they'd like (which could mean malfunctioning patrons for some time to come).
This is all very common among the hosting industry, though my host gave a huge red warning about interruptions and stuff (they went out of their way to explain the issues, very likely they got tired of having to explain it to people who didn't know already). I'd like to be surprised that your hosting provider didn't, but in honest they're probably charging <$5 a month for basic hosting packages (SSL, Domain name, IP, etc all extra) and are betting they wont piss you off enough to make you leave.