I think that we've reached the point where requesting SSL for password entry is no longer a massive change. I question your "half the sites". But even if true, this is the minimum step needed to substantially reduce spoofing. This is the least necessary step to halt spoofing. The spoofers are quite skilled and will defeat the lesser changes with ease.

As for authentication, I think we have overemphasized the value of "official" authentication. Consider the spoofing case alternatives:

a) With http, the first time I know nothing about the other side except what I see on the screen. The second time I also know nothing except what I see on the screen.

b) With a self-signed cert, the first time I know nothing about the other side except what I see on the screen. The second time I know that it is the same people as before. (Spoofing is successfully defeated.) You know about the other side through their behavior in the past.

c) With an "official" cert, I know what I see on the first screen and know that someone has checked that the organization information in the certificate is correct. This is the small increment that is overemphasized. On the second time, it is like b). Since the issuers of "official" certs assume no legal liability for the results of an loss due to an error in the cert, you have an indication of how much the issuers value their authentication.

There is a simple meaningful coexistance of various levels of certificate authority. To a very large degree our actual mechanisms are based on watching past behavior of people. I just need know with confidence that it is the same person.