As for the argument about "TLS everywhere", you have to ask who is
going to pay for it. The end-user cannot demand it; only the server
can. TLS is universally available today, and servers rarely use it
for anything other than getting credit cards or passwords.
Servers do not use it for everything because the cost of using TLS
with X.509 certificates from an entity such as Verisign are on the
order of $700 per server per year per hostname. Why should anyone be
required to pay such an outrageous tax simply to be able to protect
their home photo collection from being tampered with in transit to
a visitor's browser?
Granted, we could all become our own CAs, but that scares end users
and reduces the trust model because we don't want to train users to
accept a new CA cert from every site they go to.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support(_at_)kermit-project(_dot_)org OpenSSL. SSH soon to
follow.