I'd be interested to hear thoughts on HTTP digest auth as an alternative to full end-to-end encryption for avoiding these attacks.<p>Personally I'm hopeful that Firesheep will be what it takes to persuade browser vendors (and the HTML5 crowd) that real usable support for HTML login forms based on HTTP digest authentication is a necessity.<p>There are some pretty significant issues involved in rolling out full-on SSL which while not insurmountable do lead one to wonder if a more lightweight solution like HTTP digest auth might be sufficient for most non-security-critical cases.<p>On this topic <a href="http://www.cgisecurity.com/2010/01/weaning-the-web-off-of-session-cookies-making-digest-authentication-viable.html" rel="nofollow">http://www.cgisecurity.com/2010/01/weaning-the-web-off-of-se...</a><p>is worth a read.
> In the past, an SSL service required a dedicated IP address. This isn’t true any more with the advent of Server Name Indication (RFC 3546) and improvements in TLS.<p>If any of your users are using Internet Explorer on Windows XP, then this seems to still be true, alas - <a href="http://www.alexanderkiel.net/2008/04/22/status-of-tls-sni/" rel="nofollow">http://www.alexanderkiel.net/2008/04/22/status-of-tls-sni/</a><p>This isn't an issue for the likes of Facebook, of course, but it is a problem for sites small enough to be on shared hosting.