[security] Please convince me not to ban SSL (OP's)

[SitG Admin]

I've been trying to go from "reasonable security" to "maximum 
security", and it's driving me up the proverbial wall. Spoofing (of 
DNS), where SSL is absent, has two forms that I can see: one is to 
spoof the OP client-side, and that much can I can at least hold users 
responsible for - they need to look for that lock icon, and respond 
cautiously to bad certs. But it's *RP*-side that gets more 
complicated, if the URI itself is not served over SSL, because if the 
*server* gets fooled it will happily allow the "user" to authenticate 
with a new OP that has a perfectly valid and legitimate cert. So, 
while I'm not worried about a user giving away the credentials with 
their OP to an attacker, I *am* worried about an attacker posing as 
the user and tricking my server into accepting that claim.

If the URI doesn't have SSL, it seems somewhat less than useless to 
put effort into supporting SSL for OP's. If the attacker is going to 
go to all the trouble of spoofing my server to pretend to be an OP, 
they might as well do it for the URI, in which case SSL won't help.

Apart from the niche case of an OP forgetting to renew their domain 
and someone else promptly putting it to bad use, I can imagine 
someone breaking into the OP's account with a registrar and 
redirecting traffic; this would limit the attacker's ability to 
compromise DNS to that single domain. This seems to be a strong 
argument for using SSL on OP's, but I still find myself unconvinced. 
If I'm missing something, please let me know.

-Shade