The short answer is no.
Either you know who you're dealing with and, know if they are to be trusted already so you just want to communicate over a secure line, or you dont know them and you've really got no way to tell if they wouldn't try to rip you off anyway. Might as well get a secure line nonetheless.
Certificates in general are supposed to perform one main function; that the person who owns this certificate is who they say they are, such that you can establish a secure connection to that person.
Paid for providers and certificate authorities in general effectively are middlemen, its often in their interests to imply (and market as such) that the person who owns that certificate is also some trustworthy entity (wont rip you off basically), so as to convince a buyer that they are buying trust.
Its not unusual for these waters between is who they say they are and is trustworthy to be very muddied by CAs.
The free certificates are what are technically known as "Domain Validated" certificates.
That is, the certificate issuer (in many cases Lets Encrypt) only vouch that the owner of the DNS domain name is the same person that owns the website. It makes no claims about the trustworthiness of the website, its owner or the organisation it works with.
There exist other types of certificates.
- Organisation Validated (OV)*
- Extended Validated (EV)*
Organisation validated has the same vouches as a domain validated certificate, along with proof that the organization being issued the certificate legally exists (perhaps it exists in some companies register somewhere and some third party lawyer vouches its existence).
Extended validated certificates in addition to performing any DV and OV validation also require some additional proof of the person wanting the certificate legally exists, such as a passport or birth certificate.
The problem here is that most people dont rely on CAs to define trust between two entities, only that the entity is the (trustworthy or not) person they say they are.
Add to this, there has been a number of incidents in the past in regards to certificate authorities being fooled into (or incompetently) issuing extended validation certificates to people who are not who they say they are.
Additionally, its not really been tested from a legal perspective whether a Certificate Authority can be made liable for harm caused by identity fraud due to a mis-issued certificate.
In my opinion, the world of SSL certificates has been a huge barrel of snake-oil for many years and Lets Encrypt have disruptively (and rightly) corrected what were effectively greedy middlemen holding secure connections between parties to ransom.
EV certificates held no benefit to the public -- you've got no idea what they mean or stand for, nor do you really have any way to get your money back from a CA if that entity swindled you. Many browsers are in the process (or have completely removed) the 'green bar' feature that used to be prominent with EV certificates that were supposed to offer some kind of tentative value.
For the customer, they seemed to offer you the power to 'buy' trust. Something I feel if you were of good repute you'd not ethically do anyway.
OV certificates fall into the same bracket -- its trivially simple to register a business and get one, but that says nothing about your trustworthiness as a business.
So, no - I personally dont see any good reason to buy an SSL certificate. I'd be interested to hear counter-arguments though as to why I'm very wrong.
- Note each certificate authority has slightly different schemes and policies of what their requirements are and what they accept as valid proof of identity. This means its not as simplistic as I'm implying and in theory can be quite different between one provider and the next.