It's better now since Firefox 3.x now complains if the site uses a self-signed certificate instead of one registered through a major player like Verisign. Older browsers would accept self-signed certs and even display their little padlock icon even though the site was as phony as a $3 bill.

I still advocate using a VPN since there still are quite a few vulnerabilities out there, especially if you're not watching carefully. A pretty good report is at: http://people.seas.harvard.edu/~rach...hing_works.pdf