I haven't been able to reliably verify this. Question is: Does the secure part of https work without a valid SSL certificate? That is, if one doesn't spring for a VeriSign certificate, is the connection still encrypted? Thanks!

Yes.

You need a certificate containing the encryption key, but it does not need to be signed from a major root CA. You can use an unsigned or self-signed certificate if you want.

Be aware that if it is not signed by a trusted root CA the user's web browser will throw up some scary security warnings, which can be bypassed by the user.

If you use SSL, regardless of the certificate, nobody will be able to intercept a request between your server and your visitor. On the other hand, anyone will be able to masquerade as your server with their own SSL certificate.

OK thanks guys!