"...cannot be upgraded to SSL in a practical manner"
Um, why would that be? I'm having trouble imagining.
Once upon a time, getting an SSL certificate cost $100 or so; installing an SSL certificate was a pain. Still, for any sort of web server with commercial intent, the costs and effort were negligible. I manage a site for a very small company, and it has used SSL for years. Ok, maybe it wasn't worth it for a hobbyist site.
As of a couple of months ago, with LetsEncrypt, the excuses are all gone. For the company I mentioned, I moved to LetsEncrypt this year. Even though the project is still officially in beta, getting and installing the certificate was totally painless - completely automatic. It was also free, as in beer. What possible reason is there, not to put SSL on every web server out there?
Ok, two reality checks:
- LetsEncrypt does not yet have an automatic renewal process. They believe in short-lived certificates, and at the moment that means that you have to manually renew your certificates every 3 months. That problem should be resolved in the next couple of months.
- Likely, many shared-hosting ISPs are not yet set up for LetsEncrypt. Some may even resist, because they make money selling SSL certs. A bit of market pressure should solve that problem, and likely will by the end of 2016.
Encrypt everything: your internet connection, your hard disks, your cat, everything. Not only for your own security, but also as your small contribution to the fight against overreaching governments.