SSL: Security vs Trust
Users often confuse SSL security with trust, but there is an important distinction. SSL certificates and lock icons merely indicate a secure connection; this connection could still be with an untrustworthy attacker. With services like StartSSL and FreeSSL, anyone can obtain a SSL certificate in minutes. A fraudulent company can easily set up a SSL secured website and exploit this confusion for their benefit.
In fact, this is precisely what researchers did in a 2006 study. Exploiting a class of attacks called semantic attacks, researchers set up a fake phishing site at bankofthevvest.com (with two v's instead of a w), complete with a padlock in the content, spoofed VeriSign logo, and SSL certificate. The two sites looked identical, and it was only after users had typed in their bank credentials and tried to log in that the forgery was obvious. At that point, it was too late: viewers who had learned to trust the visual cues were easily fooled by the ruse.
The ease of obtaining an SSL certificate makes the use of encryption a necessary but insufficient indicator of trust on the Internet. User misconceptions only give attackers easy opportunities to abuse this misplaced trust for their own benefit.