>>8using gpg instead of usernames and passwords? yes, that would be a step up. using gpg on top of non-encrypted http? no, that's fucking stupid. gpg is designed for e-mail, not for interactive exchange of small packets like in ssl/tls. it guarantees no replay protection and no forward secrecy.