Verified SSL certs (like you are using james007) are cheap nowadays. I use them on several sites I manage for clients that do billing and collect CC info.

On my site I use the free Lets Encrypt cert, not because I can't afford a verified cert but because of several features I put to use. I do not have the afore mentioned issues of james007 with corperate proxies and I block most of those server ranges anyway because of unwanted bot traffic.

Using raw server logs to identify UA string info plus rdns of host combined with known bot list & predictable behavior & header field patterns returns pretty reliable data to detetmine bot vrs human.

By blocking HTTP/1.0 and using a cert that blocks non SNI supported archiac browser versions (which have a high percentage of bots pretending to be humans) a lot of unwanted bot hits are blocked.

If I used a verified cert that allows these archaic browsers and HTTP/1.0, more traffic will be scraper tools & bots. How much depends on each individual site.

This advantage of the free cert (yes, I see it as an advantage) won't last much longer as the last of the archaic browsers vanish, but it acts as an efficient filter for now. Eventually it will be a moot issue.

There's a misconception that people are using shared or SNI-enabled SSLs because of cost.

I'm not doing this because they are free. I'm doing it because I wish to use a CDN. It is really very, very expensive to run a CDN like Amazon CloudFront or CloudFlare while using a SSL certificate unless you use a shared one (CloudFlare) or an SNI-enabled one (CloudFront). CloudFront charges $600 a month to use a custom SSL certificate (that isn't SNI-enabled). CloudFlare charges $200 a month to use a custom certificate. So, I'm "forced" into running a shared SSL (CloudFlare) or an SNI-enabled SSL (Cloudfront).

Regarding scrapers/bots - I don't care about them. And if you're running a CDN, you shouldn't either. A CDN should cache your site so that these bots have a minimal effect on server load. I'm not running Wordpress or other popular frameworks, so this matters even less to me since the security risk is rather lower; and a decent CDN will filter many out anyway. (As one example, CloudFlare filtered out a bunch of suspicious Argentinian machines pretending to be Googlebot the other day - and you can use Amazon Cloudfront rules to do similar if you want). The only issue is one of people stealing content; I'm not seeing it for my content, but there's no way of stopping CTRL+C CTRL+P.

SNI-enabled SSLs aren't just unavailable to "archaic browsers", as I've repeatedly said; they also get in the way of perfectly modern browsers with older network equipment. If you're happy to take that blind risk - since there's no way you can check you're affected - there's nothing wrong with SNI-enabled SSL infrastructure.

since there's no way you can check you're affected

There is if you have several sites to compare, as I do. Not a "blind risk."

To me, what's more of a blind risk is using a CDN that can't offer complete raw access logs. IMO without the ability to know exactly who/what is hitting your server, you will never have a comprehensive idea of how your site functions. Any stats or analytics software has limitations, only raw logs give the complete picture.

Both Cloudfront and CloudFlare offer complete raw access logs. CloudFlare offer theirs to enterprise customers; CloudFront offer theirs to anyone.

Well neither were available when I tested. Maybe it was a paid add-on. I couldn't do the things I wanted with either, and after testing from points around the globe, I found neither were any faster than my current SSD server. Good that you're satisfied though.