On 5 Dec 2003, at 11:55, Bob Beck wrote:
There is an expectation that URLs which do not produce "this certificate is not trusted" messages are safe for people to use to disclose sensitive information like credit card numbers. The average consumer has been educated to this effect at great length by commerce-oriented websites and browser vendors.
Sorry, this is the night soil of a large and very well fed male ox. Anyone who believes that more than 20% of the users have been educated to do this hasn't gone around spoofing their own https sites on their wireless lans and measuring how many passwords they get.
20% of users is more than enough to create a helpdesk nightmare for a web hosting company, and represents sufficient potential lost revenue to make any merchant give money to a CA.