SSL "costs"? Google busts the myth, publicly.
SSL "overhead" has been largely, at least for the last 8 years, a myth and barely measurable. Just ask Google.
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html (this is a widely reported and important link, mods, but feel free to edit it if the register already reported on this Google SSL story especially if there is an internal register link). Google turned on SSL for ALL of their services around November 2010, not just for gmail anymore.
This is a Facebook ROLLOUT (actually BECAUSE of the recent hack of Zuck's account, Zack's hack didnt cause the push - Facebook had planned to release SSL for everyone all at once, but decided move it quicker by rollout, based on the public story of Zuck's hacked account)
FB has been working at turning SSL for its whole site since July of 2010, and since about December, I at least have been able to force each page to SSL using the FF plugin mentioned numerous times here.
Unfortunately, out of 4 accounts, 1 has the setting Sophos was talking about recently, I have the baited breath for the other 3 to be SSL'd soon!