[tallanvor]

If the customer can't afford to pay $20/month to use SSL from Heroku (which does seem to be a rather outrageous amount), they're not going to be able to afford to upgrade to the CloudFlare plan that allows them to use a custom SSL certificate.

[sublimino]

CloudFlare offer free, "flexible" Universal SSL https://www.cloudflare.com/ssl - although it is terminated at their servers and still communicates with the target server via HTTP. This is what I'm using for a simple blog.

> Flexible SSL: There is an encrypted connection between your site visitors and CloudFlare, but not from CloudFlare to your server.

> You do not need an SSL certificate on your server.

> Visitors will see the SSL lock icon in their browser.

It can be upgraded to full "strict" SSL all the way to the host with paid plans.

This security model obviously comes with some compromises, especially on login forms, as the user has been taught to expect the browser's padlock sign to signal an encrypted connection to the host.