I use and recommend WiTopia (
http://www.witopia.net), a personal VPN that is useful both for unsecured wireless connections and for all connections in countries that have many prying eyes.
All this does is change the point of attack. Your trusting a VPN provider to not sniff out your sessionid and use your Facebook account. The real solution is sites have to start sending the sessionid over SSL, and hopefully this will push them to do so.