Most people care less about assurance and more about encryption. I.e., unless you're subject to a MITM DNS attack, you're a lot less likely to be directed at the wrong paypal.com than you are to say, have your password sniffed off the wire, or by a keylogger on the local machine.
And that identity assurance is where most of the scam comes in. Encrypting communication securely is dead simple (from an implementation standpoint - pick a cipher and go), making sure server X actually represents who they say they do, that's a whole different can of worms.
And that identity assurance is where most of the scam comes in. Encrypting communication securely is dead simple (from an implementation standpoint - pick a cipher and go), making sure server X actually represents who they say they do, that's a whole different can of worms.