[jrockway]

Securing the connection layer doesn't matter. With a $10 Wifi card I can create an infrastructure access point called "Starbucks Wifi" or whatever I want that's encrypted with anything (WPA2, WEP, open... doesn't matter). Then when you connect to that, I get all your packets and can steal your session.

Now, sure, this attacks costs me $10 for the wifi card and it's not as fast as connecting to Starbucks' wifi and opening a Firefox tab... but you will still get a lot of data.

Link-level encryption is not the same as session encryption. For your link to be secure, you need link-level encryption. For your session to be secure, you need session-level encryption. It's that simple. Facebook is a session, not a link, so Facebook needs SSL.

There is simply no other workaround.

(And oh yeah, you need to authenticate who you are talking to. The access point asks you for a password to prove that you are allowed to talk to it. But you don't ask it for a password to prove that it is allowed to talk to you. Connecting to an access point is like giving your credit card information to the call that starts like, "Is this jrockway? There's a problem with your credit card...". They know who you are, but you have no idea whether they are actually your bank.)