Sure, there is always the risk of MITM but at least you force the attacker to make an active attack, which then creates the opportunity to detect the hacker. Just have a few police stings in campus coffee shops or whatever and I bet you'd have some impact on the practice.
I'm amazed sometimes at the XOR approach we take towards security - either very secure but lots of cost/hurdles, or absolutely and completely insecure. A better approach is to provide a tiered system where everybody can work out how secure is secure enough for a particular application. Use DNSSEC and stick the required security level (as well as certificates) in the DNS record for a site and you have a standard way of ensuring the client and server are on the same page where security is important.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds