This completely depends on your standards and your paranoia. According to that you have a couple of options
No HTTPS:
- No green mark
- No server authentication / prevention of man-in-the middle attacks
- No prevention of "stand by" sniffing
Self Signed Certs:
- The user need to "approve" the cert at least once (this is something where you have to guide your user through one by one, as most "normal" users dont handle it)
- No server authentication / prevention of man-in-the middle attacks
- At least some prevention of "stand by" sniffing
Domain signed Cert:
(when you are in a company, you usually have a domaincontroller and where you already have or can install a CA and sign certificates)
- Costs nothing
- Server authentication
- Prevents "stand by" sniffing
- Users outside your domain, still need to approve manually this certificate
Free certificate (letsencrypt.com):
(There are free authorities, where you can get certificates from. As a dependency you need to buy a valid domain, host your site under this domain, and either make the server public available (HTTP01 challenge) or use a SSL certificate provider with a supported API (DNS01 challenge))
- Costs nothing
- Server authentication
- Prevents "stand by" sniffing
- Everybody, in and outside your company's domain trust those certs
Buy a certificate (namecheap comodo, like 9$ per year):
(you need to create a a private key, then a CSR, send the CSR to the authority and get the normal cert back, which you then can install on your server with your private key)
- Costs a little
- Server authentication
- Prevents "stand by" sniffing
- Everybody, in and outside your company's domain trust those certs
Hope this helps. Its by far not complete yet should give you some overview
