This is all well and good for desktop browsers, most of the folk reading this blog know how to spot the difference between an encrypted and unencrypted connection in their favorite browser. My real concern is mobile apps, where there really is no way for anyone to tell if Path/twitter/etc is sending our authentication data/address book/etc in cleartext or not. My guess is most startups don't prioritize getting an ssl certificate/connection on the back-end. The good news is most people don't bother connecting their iPhones or Droid devices to public wifi networks when they have a regular phone/data plan in place.