Re: why, why, why... what is the point?
"Why should we *not* secure websites?"
Because:
1. It is a burden for people running smaller websites that don't have logins etc this don't actually need to be "secure". Whether or not this can be hijacked by nefarious people shouldn't be the web site's problem.
2. Numerous public APs force false certificates at you if you go to https sites - KFC I'm looking at you - which either intentionally breaks or intentionally compromises the basic security expectations.
3. Remind me - where is the mechanism to prove that site X is really site X? We are mostly stuck with taking somebody else's word for it...