You know, at some point we should really re-evaluate the use of SSL in our Web architectures. Let’s face it, it hasn’t really done much for us:
1) Users read way too much into its functional value.
2) The threat model for sensitive Web data has never been one of sniffing traffic. There are still way too many accessible websites for this to be the case.
3) If you are going to compromise some device, you might as well compromised the host and not some intermediate device.
4) The bad guys are now leveraging SSL more and more to shield their activities from good guy sniffers.
Sure, it is needed nowadays for basic authentication protection, but we really shouldn’t be using userid/password pairs in clear text anyway.