So in other words, IPv6 from the backbone to a home PC's 802.11g radio will be deployed around the time the last mainstream non-SNI PC operating system is scheduled to die anyway [microsoft.com].
So how would you explain to the users that a blog, forum, or wiki is supposed to raise a serious certificate error after the user is logged in, and that HTTPS with such a serious error is safer for the user than an HTTP connection that can be Firesheeped?
Ask the gentoo guys behind bugs.gentoo.org, who use a CA whose cert isn't generally shipped, or anyone who's using a self-signed cert. I'm not here to get into an argument of over the weights, values and concerns of various degrees of encryption and authentication. For some, it's enough that passive sniffing isn't feasible. For some, that isn't enough, and you need to authenticate the server identity.
Don't ask me to make grand sweeping statements of 'X is enough security', because security is a case-by-case thing. Heck, I note that even Slashdot isn't defaulting to SSL.
The difference between $5 per month name-based shared hosting, which may put a thousand or more domains on one IPv4 address, and a VPS. You mention a $5 to $7 per month VPS plan; which provider do you recommend?
I use prgmr.com. I wouldn't put a full LAMP server on a $7/mo plan; the low-end plans wouldn't really be up to it. But, again, I could easily imagine paying that just so you can drop a squid proxy server on it listening on port 80. Have your domain point to that. Have squid serve as an accelerator proxy, pointing to your shared hosting provider. Squid can wrap your clients' connections with your SSL cert so they can't be firesheep'd on their local wireless or by their local malicious network. Granted, the connection between squid and your shared hosting provider is unencrypted, but the people on that route are far less likely to care. (so long as your VPS and shared hosting provider are in the same country).
Personal use SSL certificates have been free of charge from StartCom for some time now.
StartCom's free certs are only good for a year. You're far better spending off a dollar or two more per month than spending time every year coping with cert rollover headaches. If you can't afford that (after spending $7-10/yr for a domain), I have to wonder why you aren't using a wiki, forum or blog farm that handles these things centrally, and for free.
Is there a standard WordPress app, a standard phpBB 3 app, or a standard MediaWiki app?
There's a Wordpress app. I don't know if a MediaWiki app has cropped up, but I'd been considering writing one as an interface to my own site. I don't know if anyone's written a phpBB 3 app, but I can imagine some real benefits to it. (Imagine having your phone use the normal notification channel to inform you of PMs or replies.)
The market is in a crunch right now, with security concerns and IPv4 address depletion. It's not a pretty situation, and something has to give. Before anything else, that's going to be the IE-on-WinXP market. (IPv6 doesn't even solve the IE-on-WinXP issue, since you need to explicitly enable experimental IPv6 support to get it on WinXP)
According to Google Analytics, my site had 126,947 visits over the last month, and only 5,480 of those were from IE-on-WinXP. That's 4.3% of my traffic. I'd stop giving one whit once that's down to about IE-on-XP once it's down to about 5%, so IE-on-XP is no longer something I need to care about. Heck, I had 22,387 visits from WinXP during the same period, which tells me only one in four WinXP users are still using IE when they visit my site.
IE-on-XP is not a demographic most people need to be reaching for. And, really, if you need TLS, and you need a non-SNI circumstance, and you can't afford another $5/mo (heck, even Linode was only charging $1/IP more, last I checked), then you need to put up a donation link with something like PayPal, and get your users to help support a service you obviously can't afford to provide on your own. That's what carried my site for a couple years.