it's funny how everyone says "just use SSL - that'll fix it", soon followed by "the SSL computation overhead isn't significant any more" which is totally true, but probably not the reason why SSL isn't more widely used.
Smaller sites will suffer from the fact that SSL requires an IP address per server. Name based virtual hosting is out of the question (at least as long as Windows XP is still around). Combine this with the IP address pool quickly getting smaller and smaller and you'll see that for smaller sites, it might be impossible to get the needed amount of addresses for a reasonable price.
For large sites, there's the problem of the various CDNs which are not always under the control of the site and might not be prepared for SSL.
Remember: All assets of an encrypted page must also be encrypted, otherwise the browsers display a nasty warning (even though unencrypted assets, when served from a different domain would not be a problem what's session hijacking is concerned).
"just use SSL" might just not be possible in some cases.
The GitHub solution seems reasonable: Use HTTPS for writes and truly sensitive stuff, and unencrypted for the rest. CDNs aren't a problem since your write-requests won't have any external resources on them (they'll just redirect back to HTTP). Then the HTTPS could even be handled on a third-party gateway provider (yes, then there's a weak spot between your servers and the third party, but that's much harder to penetrate than the wifi at Starbucks.).
Your read-only session might still be high-jacked, but that's relatively low impact, (since someone could simply sniff what you're reading anyway).
Smaller sites will suffer from the fact that SSL requires an IP address per server. Name based virtual hosting is out of the question (at least as long as Windows XP is still around). Combine this with the IP address pool quickly getting smaller and smaller and you'll see that for smaller sites, it might be impossible to get the needed amount of addresses for a reasonable price.
For large sites, there's the problem of the various CDNs which are not always under the control of the site and might not be prepared for SSL.
Remember: All assets of an encrypted page must also be encrypted, otherwise the browsers display a nasty warning (even though unencrypted assets, when served from a different domain would not be a problem what's session hijacking is concerned).
"just use SSL" might just not be possible in some cases.