I don't understand why people still try to correlate value to difficulty of producing something. That was never the case, especially in a service economy, or else we wouldn't have people on the entire gamut of wealth.
Pro sports players don't get paid per effort dedicated, but by the amount of value they generate. You can complain about baseball players making millions all you want, but in the end, they sustain a huge economy surrounding sports.
If SSL certificates were pennies (which is in essence what it takes to generate them), then they would lose almost all value they provide. They need to be somewhat expensive to not dilute the amount of valid certs. But that is superficial; authorities take on responsibility of verification and they assign their own name behind the validity of a third party. That's valuable.
The amount of value you provide, less transaction costs, represents the maximum that you can charge for a product or service even if you are a monopoly (and there are no viable substitutes).
In a market economy, competition drives prices down towards the product's marginal cost to produce. Consumers then get to keep the 'excess' value delivered. The lower price also brings in consumers for whom the product delivers less value.
So when you have a product, like SSL certificates, where the marginal cost of production is nearly zero, it is fair to ask why the certificates aren't nearly free.
(And since the certificates are not free, and so the providers seem to be printing money, we have to ask how all of us missed out on this business.)
Although the production costs are free, the maintenance costs (both short and long term) to make the certificates have any worth to purchasers is very significant.
Ignoring wages, hosting, DR site maintenance, general business costs etc, the other maintenance costs I can see over other SaaS/webhosting/domain businesses (which are similar).
mid $xxxxx/mo for CDN hosting
mid $xxxxx startup for the hardware (you can't store keys on disk)
mid $xxxxx anually for audit (thats the simple cost to get it done, nothing to do with performing it - manpower, expenses, recification of any issues)
[Sometimes multiplied for various other compliancies/audits around the world]
It's like this:
Webhosting - you can pay $100 a year for mid-to-low-end hosting.
You could probably do it yourself from your ADSL line, or a cheap co-lo, right? Save a few bucks.
SSL - you can pay $100 a year.
Or, unlike hosting/SaaS, even becoming your own domain-reg...you're looking at the above costs, plus waiting with your thumbs up your ass for 5+ years before you can do anything. Still paying, too.
You could bypass the wait, shell out for the hardware and then pay 6-7 figures to get a subCA and issue immediately.
Rip-off? Not as clearly as you think.
When there's a large gap between an item's marginal cost and value to consumers, producers who capture a large amount of the difference are considered lucky or evil. This is an advantageous meme for consumers, and nearly everyone sees more individual consumption transactions than production transactions, so it's not going to go away, no matter how much more we drill people in economics.
"They need to be somewhat expensive to not dilute the amount of valid certs."
I don't understand you. The validity of a cert isn't dependent on its cost, though as you note, steps taken to ensure validity drive up cost. In any case, virtually no one is served by getting a more expensive cert these days, now that $50 and lower certs are available and just as trusted by browser manufacturers. The original idea that cert providers would verify actual identity has given way to the idea that certs only verify that the encryption really comes from the website itself, rather than some middleman. There's a place for business identification, but it's hard to do cheaply. Actually, it's hard to do at all, in a global marketplace.
Pro sports players don't get paid per effort dedicated, but by the amount of value they generate. You can complain about baseball players making millions all you want, but in the end, they sustain a huge economy surrounding sports.
If SSL certificates were pennies (which is in essence what it takes to generate them), then they would lose almost all value they provide. They need to be somewhat expensive to not dilute the amount of valid certs. But that is superficial; authorities take on responsibility of verification and they assign their own name behind the validity of a third party. That's valuable.