Saw this mentioned in Risks Digest: "SSL's Credibility as Phishing Defense Is Tested". SSL includes a "plain text" encoding method (not encrypted), which doesn't require a certificate and so doesn't require any certification authority to vouch for the identity of the certificate holder. It seems to me that browsers shouldn't support that encoding method, but then it seems crazy that such a method is part of SSL in the first place. Isn't the whole point of SSL to be secure?