If you are not capable of affording at least a cheap-almost-free ssl cert in order to protect your site's users, and given your site actually requires SSL (such as secure account login, transactions, etc) you probably should not be running the site.
SSL certs can be found for $1.99 per year sometimes from companies (that's cheaper than it costs to run your server). Sure they are not the "name brand" ssl certs like from Verisign that cost $300 a year -- but to a browser, SSL is SSL (so long as the browser recognizes the trust chain).
If your country prohibits SSL's use -- then you really should consider not hosting your site from within your country.
smnrchrds isn't saying they don't have the money to pay for it. They're saying they can't pay for it. Because they're in Iran, they can't get PayPal, a foreign credit card, etc. So, while they could get this SSL for free, it would be a security risk for them since they'd be unable to revoke it if it were compromised because they have no way to carry out the transaction.
Most countries have operating CA's... and not every country has sanctions imposed against Iran -- so it is possible to get a cert even if you live in Iran.
I'd wager smnrchrds has tried that route as well. I'd also wager that most countries with CAs accepted worldwide likely obey the UN ratified Iran sanctions. So, unless you can suggest a specific CA that is accepted by most browsers that is headquartered in a country that does not obey the UN ratified sacntions against Iran, this discussion is moot.
So the discussion is not "moot". If you run a website or webservice that must be secured -- you need to secure it or not host it.
As an aside -- I don't believe Iran is currently under UN sanctions -- I believe they expired at the beginning of 2014 [1] ... the US, and several EU countries and others still do have Sanctions, sure... but it's not the entire world... specifically China and Russia are not on the Sanctions list, and both operate public CA's.
I said it was moot unless you could point us to a CA that would (1) sell to Iran and (2) be accepted in most browsers. I'm still not sure if someone in Iran can actually buy from this CA - 10-100x markup aside - as there doesn't appear to be an online purchase ability. The website has also not been updated in 2 years. One final issue is that this is a reseller of TURKTRUST, which was pulled from all major browsers last year due to their major screwup allowing people to impersonate Google. They're back in the browsers, for now, but we'll see how it unfolds in the future.
Multiple UN sanctions against Iran are still in effect. Some relief was granted in December 2013 but most of the sanctions regarding oil, banking, and finance remain in effect. Wikipedia is often out of date with regards to issues like this. It's an extremely poor source of information, but often helpful to find a reliable source from the footnotes.
I don't think he was saying he couldn't pay because he couldn't afford to pay, I think he was saying he couldn't pay because he doesn't have the option of paying with the economic sanctions against Iran.
If your server requires SSL due to security reasons, and you are not capable of using SSL for one reason or another, then I'd rather you don't run that server at all.
Besides, if it's not an cost-prohibitive problem, but rather one can't get an SSL cert due to sanctions, etc... well, that argument doesn't hold water either. Not every country holds sanctions against Iran for example. You may not be able to get an SSL cert from a USA company, but there are many other countries who have CA's available that probably have no sanctions.
In the end, security is not a joke. If your server requires itself to be secure, you'd better do it.
SSL certs can be found for $1.99 per year sometimes from companies (that's cheaper than it costs to run your server). Sure they are not the "name brand" ssl certs like from Verisign that cost $300 a year -- but to a browser, SSL is SSL (so long as the browser recognizes the trust chain).
If your country prohibits SSL's use -- then you really should consider not hosting your site from within your country.
Security is not a joke.