People seem to be under the misapprehension that Let's Encrypt / ZeroSSL certificates are "free". They are not — it's that the consumer is not the one paying the bill.
It costs tens to hundreds of thousands of dollars a year just to get the audits required to operate a public CA, much less pay for the infrastructure and staffing required. That bill has to get paid somehow. Yes, pricing on certs in the past has been questionable, but operating a public CA is -not- free, so CAs have sold certificates to pay for that service operation. That has introduced some issues of its own in terms of profit motives, although I would observe that for the majority of public CAs their public TLS certificates are frequently a loss-leader service and not a massive source of income. Put short (too late!), there's nothing wrong with the practice of paying for certificates in and of itself.
What makes me very concerned about the current model funneling everyone to "free" CAs is that those bills are being paid at the moment through donations to ISRG and other organizations. I like that ISRG is making efforts to broaden their donation base to reduce reliance on single sources! However, I'd much prefer to be paying them a monthly subscription fee for their certificate service and not have my ability to leverage it be dependent on the largesse of large corporations that frequently abruptly decide services like this should either cost money or pay up in user data. (Note that I explicitly do not think the user-data thing is happening right now, only that I'm concerned it becomes a problem in the future.)
One issue with requiring some kind of fee to get SSL certificates is that it acts as a barrier to hobbyists and kids trying to set up a website (probably to learn about the technologies involved). That barrier means that there'll likely be more unsecured websites around which is not desirable.
Maybe some kind of traffic based tax would be better - just have the biggest ISPs pay for all of the free CAs.
Don't get me wrong: I don't object to the existence of non-profit/funded CAs like Let's Encrypt! The work they've been doing on making HTTPS the norm is excellent. I just worry about a future in which the only option is a CA like that, as the other public CAs struggle with offering a product that competes with "but it's free!".
I also worry a bit about the amount of the Internet that now depends on Let's Encrypt, including a number of large enterprises. That didn't go very well the last time we had an 800-pound gorilla in the CA space, not to mention the availability problems that will occur if everyone depends on a single CA that then has an outage, a mass revocation problem, or has a disagreement with the browsers over issuance rules.
Well, here in the UK, we had the BT ISP attempt to inject adverts into plain HTTP pages that their customers were requesting. HTTPS prevents that kind of abuse, so I welcome HTTPS on every single website as we can't trust big companies to not try to mess with us.
People seem to be under the misapprehension that Let's Encrypt / ZeroSSL certificates are "free". They are not — it's that the consumer is not the one paying the bill.
It costs tens to hundreds of thousands of dollars a year just to get the audits required to operate a public CA, much less pay for the infrastructure and staffing required. That bill has to get paid somehow. Yes, pricing on certs in the past has been questionable, but operating a public CA is -not- free, so CAs have sold certificates to pay for that service operation. That has introduced some issues of its own in terms of profit motives, although I would observe that for the majority of public CAs their public TLS certificates are frequently a loss-leader service and not a massive source of income. Put short (too late!), there's nothing wrong with the practice of paying for certificates in and of itself.
What makes me very concerned about the current model funneling everyone to "free" CAs is that those bills are being paid at the moment through donations to ISRG and other organizations. I like that ISRG is making efforts to broaden their donation base to reduce reliance on single sources! However, I'd much prefer to be paying them a monthly subscription fee for their certificate service and not have my ability to leverage it be dependent on the largesse of large corporations that frequently abruptly decide services like this should either cost money or pay up in user data. (Note that I explicitly do not think the user-data thing is happening right now, only that I'm concerned it becomes a problem in the future.)