The cost of SSL certificates scales linearly, not exponentially, with the number of domains. Just buy a certificate for each domain and don't bother with the "multidomain" or "wildcard" rackets.

Oh, you need multiple IPv4 addresses for that? Just buy them, SSL is a valid jusstification for consuming IPv4 addresses. It's also a lot cheaper than multidomain certificates. Again, the cost increase is only O(N), not exponential.

If it costs you more than $150/year to secure a dozen domains, each with its own IPv4 address, it's not because you're being ripped off, it's because you didn't do your homework. The very fact that some companies can still get away with selling $500 certificates in a purportedly free market implies that most people aren't doing their homeworks.

Why do you need multiple IPs when SNI is supported on most major operating systems and most server platforms. Just look on Wikipedia for a full list of technology that supports Server Name Indication. It is free.

$500 certificates are Extended Validation certificates that require man power to verify many details about a company. There are other costs involved in the certificate issuance process that is mandated by the CA/Browser forums.

There are multi-domain certificates for less than $100 that allow wildcard in the certificate. If you really knew what you were doing you would only need one certificate and it would cost less than the $150 you are talking about.

If you have an ecommerce site that Extended Validation certificate is worth it. Our sales increased by better than 40% by having an Extended Validation certificate. So YMMV. Do what makes the best sense for your site.

Self signed certificates are just as secure but they give the warning unless you import your CA certificate into your browser. So you can get away with free if the sites are only for internal use only pretty easily.

IPv4 addresses are more like 2 EUR/IPv4/month now -- already more than twice more expensive than the domain names, plus, there is generally a limitation of, say, 8 or 16 addresses per non-enterprise hosting accounts. And these prices will only go up in the future!

Plus, are you suggesting that I even get separate certificates (and IPs!) for subdomains? Because I don't actually have to pay anything for my own subdomains to anyone! (Other than the https certificate companies, apparently.)

Plus, having to manually re-install all of these certificates every year? No, thanks! Fix it first! I don't have to re-install my STARTTLS in SMTP, noone gets any self-signed warnings, yet all my email is still immune from passive eavesdropping or any kind of passive tapping of the traffic.

I was just trying to point out that the cost increases linearly and nowhere near $50/domain/yr.

Besides, it was your choice to get a dozen different domains and create a bunch of subdomains on them, instead of, say, subdirectories. You should have been fully aware of the costs and limitations of existing protocols and market conditions when you did that. It's also entirely your choice whether or not to support non-SNI clients. Some of us stopped supporting IE8/XP a long time ago, some of us keep supporting it at a significant cost (often many thousands of dollars). Either way, it's your choice.

Every choice has pros and cons to it. No use complaining about it because you happened to choose a less widely supported and more costly option. Hell, I'd love to get a thousand different domains and an entire /20 for personal use. Why should I pay $10K/yr for my preferences?

If you don't want to pay for overpriced certificates on your gazillion subdomains, just don't. Consolidate your domains and subdomains, or at least consolidate the parts that need SSL. It's as simple as that. If nobody ever fell for the wildcard and/or multidomain certificate racket, CAs would have to price their products more competitively. Stop whining and start voting with your wallet, it's the only vote that matters.

> I was just trying to point out that the cost increases linearly and nowhere near $50/domain/yr.

Not sure on your math. 2EUR/IPv4/year is 24EUR/IPv4/year, say, you have just two subdomains -- that's already 48EUR/IPv4/year, for a single TLD domain!

> Besides, it was your choice to get a dozen different domains and create a bunch of subdomains on them

Yes, based on best practices and technological needs; or maybe consolidation of a legacy architecture (where each domain used to have a different physical machine); or maybe the future compartmentalisation through IPv6 (where each domain has a separate logical IPv6-only machine, all sharing IPv4 through a single non-fail-safe legacy proxy); or maybe just outright security for cookies between separate applications I run to protect against XSS attacks.

Or do you suggest I make my choices in technology based on the racketeering of the certification cartel instead? Use inflexible, stagnated and insecure operating practices just to please the certificate authority cartels? No thanks.

> your choice whether or not to support non-SNI clients

What did non-SNI clients did to you to block them from allowing access to your personal web-site? Android had no SNI support until very-very recently, for example. I don't want to not be able to access my own web-site from my own phones! However, the separate `https` address scheme would guarantee that my site wouldn't simply work if I follow someone's https link to it on my Android 2.2 device, and there is no way to avoid someone from giving out https links should I enable https (which will never happen, BTW).

> I'd love to get a thousand different domains

You can -- you don't have to pay anyone for your subdomains! Other than the certificate authorities, apparently!

> If you don't want to pay for overpriced certificates on your gazillion subdomains, just don't. Consolidate your domains and subdomains, or at least consolidate the parts that need SSL. It's as simple as that.

Aha! Parts that need SSL? It'd be nice to have, but none require it -- I'm not running a bank and don't collect payment details! And, no, I will not revisit sound engineering and marketing decisions based on the political limitations of the certificate authorities. Not gonna happen. CAs will not dictate the rules of the game for me.

Fix encryption for HTTP to be as easy as SSH and STARTTLS in SMTP (I don't need no https access scheme for my non-commercial pages!), and I'll gladly enable it for all of my domains. Until then, thanks, but no thanks.