Pay-for-security is a bad path to go down. Compare pay-for-ssl to using md5 on the lower tier for password encryption, while the upper tiers get something like bcrypt, or you only get a salted password if you pay extra.

It seems pretty absurd to require a payment for security, especially when you're implementing it for a subset of users. Its true that SSL is going to be more taxing on their servers, but the majority of the cost is going to be spent getting an engineer to implement it, rather than the actual operational costs.

SSL concerns the kind of people Subtask is marketing its product to. Including me. It's a non-starter as-is. I was interested to sign up and try it out right until then.

Security is never a feature. The app lost all credibility at that point.

Normally, I'd completely agree that if it's a feature people want, then they can pay for it. But SSL isn't just about protecting the person's data, it's about preventing people from snooping their login credentials over unencrypted traffic (e.g. at a coffee shop). If they use the same login as their email or other accounts, then by excluding SSL from any tier, you're putting those users at risk, not just within your own app, but for their other accounts as well.

In an ideal world, if your app has the ability to login, it should have SSL. And I'm not trying to be a judgmental idealist either, just answering the "why" question after thinking it through. I'm certainly guilty of having a couple old apps out there I've not yet updated to use SSL. I think I may have to go do that now.