There's nothing "paid" about specifying how we connect to your origin (i.e., with HTTPS or HTTP). This setting is available to all plans, free or otherwise.
During onboarding we attempt to establish a connection to your origin using HTTPS. If successful (i.e., your http daemon is listening on TCP 443, speaks TLS, and presents a certificate), we'll default you to using "Full" mode; if not, "Flexible" mode will be set.
Either way, this setting can be changed at any time: simply log in and click the Crypto app in our top level nav. The setting you are looking for is the first one presented on the screen.
In terms of your second comment, we're planning on rolling out a simple way for you to install a free CloudFare-signed certificate on your origin and use that in Strict mode ("Full" with full chain validation). Don't have a GA date for this yet, but it will be announced on our blog once available to all (still in beta).
Source: CloudFlare TLS PM
