>There is an expectation that URLs which do not produce "this >certificate is not trusted" messages are safe for people to use to >disclose sensitive information like credit card numbers. The average >consumer has been educated to this effect at great length by >commerce-oriented websites and browser vendors.
Sorry, this is the night soil of a large and very well fed male ox. Anyone who believes that more than 20% of the users have been educated to do this hasn't gone around spoofing their own https sites on their wireless lans and measuring how many passwords they get. and I'm being *generous* with the 20% - I typically get a valid password 9 out of 10 connections to a spoof site. What lusers have been educated to do is "Oh look, an annoying box has popped up. click the button to make it go away so I can keep going." I seriously doubt they differentiate it too much from popup ads for porn sites or herbal viagra. -Bob