Assumption: Evil powers still cannot break SSL that works as it should with random data and unknown private keys without centuries or millennia of computer time..
End-to-end encryption only works if the endpoints themselves are doing the encryption. Let's take a few examples:
Social media: Person A posts something online. The endpoints, the real endpoints, are Person A and all of Person A's followers. Is there encryption between Person A and all of Person A's followers? No, not currently, and that is the problem. If there were encryption between these endpoints, the evil powers would pull out their hair. Instead they short-circuit things, compromise the world thanks to Facebook, and get an easy in to everything. They are performing a traditional man-in-the-middle. Encryption, without compromises, is the key.
Instant messages: I send message to Google (Google Talk, Hangout, etc.) and they froward it on to my friends instantly. Are the endpoints doing encryption? No, not usually, and even with Off-The-Record functionality that Google provides, it is still plaintext along the way. This is the problem. It needs to be encrypted by the endpoints.
Skype: Same as above. The service in the middle is the problem.
There are some easy solutions for some of these.
First, the best solution is to be your own service provider somehow. When federation really makes this happen properly and we each control our content with others we trust directly then that will be neat. Maybe we can still use things like OpenID to help handle that authentication in the meantime, but keep in mind that delegating trust to one party means that if another party compromises them then all bets are, again, off. We each need to provide our own trust directly to others so that end-to-end encryption can happen. If the other ends are ever compromised, revoke their trust and then handle things going forward, but at least it's possible to know and handle that situation. I think the right way for this to happen involves our own services becoming insanely simple to deploy, and then running them at home, each of us being our own little provider. I know... too hard for the common user today, but so was accessing data via the Internet twenty years ago.
Second, in the meantime some of these services can be fixed right now. Run Pidgin to connect via Google Talk, or AIM, or ICQ, or anything else that's person-to-person, and implement the Off-The-Record plugin in there. Hooray! True end-to-end encryption. The service provider just sees crap in between, which is SSLized crap, and that's the end of their involvement even if the power scum that force them will take their data at gunpoint. Since he party in the middle has no keys, they have no data. Suddenly the evil powers must start attacking individuals instead of intermediaries which is much harder for them to do.
By the way, never use the same password, or even minor variations on passwords, on any two things, ever. Just don't. When you do, you make it trivial to take everything with the weakest link compromised. Which link will be attacked by anybody really caring? The weakest of course. Make them all strong, and different. LastPass is a good, secure option if you cannot manage passwords on your own without any intermediary (yes, it's work).
Anyway, just some thoughts.
