Does anyone actually really think that they need to use SSL? Or do they just add it because people who do not know will think “where’s my little lock icon? this is insecure!” if it’s not there?
Have there ever been any occasions when someone lifted a password or credit card number off the wire rather than just owning the end machine and nicking all its credit card numbers?
Update: topic covered eloquently and in better detail in ”What’s Your Threat Model?”