I hate the way certificates are handled today... They basically put a gun to your head and demand money in order to establish an SSL connection.
I know, man-in-the-middle attacks! Well sorry but can we not have an encrypted connection without protection against man-in-the-middle attacks? Why is it every other protocol has support for basic SSL encryption without certificate verification except HTTP?
Internet Explorer's implementation is annoying, WebClient and Firefox's implementations are a pain in the *.
It's to do with trusted-authorities (TA's). If I see a website www.citigroup.org.uk - is it Citigroup? I trust Citigroup with my banking details, but is it verisign? With no TA authentication then my communication with them is secure, but they might
be bad guys in disguise. With a TA, not only is my communication with them secure, but is guarranteed by Verisign (whom most everyone agrees are good-guys).
You're not paying for the SSL certificate, you're paying for the fact that you can't guarrantee your own identity, you need someone else to be your 'passport-issuer' as it were.