Let's see...<p>* IPv4 addresses are NOT free by any means.<p>* Having an SSL certificate requires extra configuration on the server.<p>* Legitimate SSL certificates are not free (VeriSign, etc, if your site uses StartCom then you're doing it wrong)<p>That's just a few points.
For serious cloud/SaaS products, especially B2B stuff, this really shouldn't be a question. When I was at Harvest we sent SSL-for-all in 2009:<p><a href="http://www.getharvest.com/blog/2009/06/unlimited-clients-projects-and-ssl-for-all-plans/" rel="nofollow">http://www.getharvest.com/blog/2009/06/unlimited-clients-pro...</a><p>Sure, it costs a little bit of money. But it makes our users little safer when they log into our service. There aren't many levers you have a SaaS product that you can pull to really make user data secure once it leaves your servers.<p>As pwim said, if you can't recover the cost per user then your company must have some big problems. I always frown at a pricing page that says SSL is an add-on, it demonstrates that whomever is running things behind the curtain isn't really concerned about the safety of user data in their app.
Computational cost is not negligible when you scale up. It is very manageable, but it does end up costing extra.<p>Using SSL for all private data is an absolute must though.
SSL as a feature usually differentiate between sites that accept online payments (need to use SSL on their site payment form) and those that don't.
Those that accept online payments seem to be able to pay more for a service than sites that don't accept online payments.<p>tl;dr sites that need ssl usually can pay more for same service.
I don't see cost as being a counterargument for a SaaS. I paid about $20 for my certificate, took an hour or so to jump through the signing hoops, serving assets through cloudfront which charges me pennies, and heroku has $20/month SSL support. If you can't recover that cost per user through your SaaS, you have bigger problems.
<i>Imagine a service that offered you ‘hashed passwords’, ‘encrypted credit card storage’, ‘backed up data’ or ‘up to date libraries’ if you pay for their advanced plan. Not cool, right?</i><p>All of those things relate to the security of the <i>provider</i> so you expect them as standard. SSL, as a customer facing feature, secures data when it's out on the wilds of the Internet or on the <i>customer's</i> network. It's a bit like charging extra to offer signed courier delivery instead of USPS.