SSL for commerce is readily in place without batting an eyelid these days.

Costs are still way too high. This won't change until browsers are shipped that treat self-signed certs as being valid. Unfortunately, browser manufacturers believe in cert-ware for a variety of non-security reasons. Hopefully, one day the independant browser manufacturers will ship browsers that show a different icon for self- certs, rather than annoy the user with mindless security warnings. Then, we can expect a massive increase in secure browsing as sites start defaulting to self-signed certs, and a consequent massive increase in security, as well as a follow-on massive increase in the sale of certs. Unfortunately, we probably won't see an enhanced market for CA certs until Verisign goes broke.

However, I'd be interested to know just how many users out there would enter their card details on an unprotected site, despite the unclosed padlocks and the alert boxes.

Huge numbers of them. You won't see it in security lists, but most of your average people out there do not understand the significance of the padlock, and when merchants request credit card numbers, they quietly forget to tell them. And, in a lot of cases, credit card details are shipped over cleartext email rather than browsers. Many of these merchants have card-holder-present agreements, the restrictions of which, they just ignore. Commerce being what commerce is, it is more important to get the sale than deal with some obscure security nonsense that doesn't make sense.

Have security fears and paranoia been abated by widespread crypto to the point whereby users will happily transmit private data, whether encrypted or nay, just because they *perceive* the threat to now be minimal? Now that the media has grown tired of yet-another-credit-card-hack story?

Much of today's body of (OECD) net users don't read the news about the net and don't understand the debate, nor can they make sense of how to protect themselves from a site that is hacked... Three or four years back, much of the body of the net was still technically advanced and capable of understanding the fallacious security arguments. These days, perversely, the users are better able to evaluate the security risks, because they don't understand the arguments, so they look to the actual experience, which provides no warnings.

Pointers to any evidence/research into this much appreciated... ta.

Unfortunately, real data is being kept back by the credit card majors. It is my contention that there has never been a case of sniffed-credit-card-abuse, and nobody I've ever talked to in the credit card world has ever been able to change that. On the whole, all net-related credit card fraud is to do with other factors: mass thefts from hacked databases, fraudulent merchant gatherings, fear-of- wife revocations, etc. Nothing, ever, to do with on-the-wire security. -- iang