Ow, my brain. People forget how hostile an environment Javascript is for trusted code. It's not just that you can stage an elaborate man-in-the-middle attack; it's that anything that allows you to run code in the same JS instance can sabotage the encryption. That includes MITM, but it also includes XSS and Javascript injection, JSON injection, and it applies to every source of script and DOM content that builds up the page.

SO should ban all security-related questions. There is too much misinformation and wrong answers get marked as "resolution": http://stackoverflow.com/questions/1702661

The most revealing thing to me was that you can buy an SSL certificate for as little as $30 these days (GoDaddy). It's been a while since I've had to order one for my company, but I seem to recall it costing several hundred dollars the last time I did it.

$30 is expensive; SSL certs have been free for a little while: http://www.startssl.com/?app=1