As the person who invented (and mispelt) the referer link I don't agree with the arguments made against it. The purpose of the referer link is to allow servers to collate pages of backlinks. This would make the Web browsable in both directions. I could never understand why Netscape supported the facility in the browser without also supporting the capture functionality in the server. Its a simple matter to add support but they seem uninterested. Of course there should be a toggle to allow users to turn off the referer field. I tried to get a recomendation to do this put into the spec. People then started shouting at me saying that it was impossible to enforce and so the recomendation shouldn't be there. Quite what the relevance of 'encforcement' is I don't know. Then they started jamming stupid ideas like cookies into the spec, ideas that showed all of five minutes thought.
Which was my original point. I'd even be willing to *pay* for a cert, but not more than about $15. I just find it odd that I can get SSL server software for cheaper than I can get a license to operate said software. Hey Verisign, why don't you offer a Class 1 server certificate?
The manner in which SSL is designed means that it requires a degree of trust in the certificate. Allowing the browser to automatically accept a class 1 cert would be somewhat foolhardy. Because someone put that damn key on the bottom of the browser some people expect there to be security. Instead they get encryption which ain'tquite the same thing. There is nothing to stop you using a non standard cert with SSL however. I use Apache with a cert I wrote myself. Phill