it is the responsibility of the the web site owner to understand the level of security in the operating system and applications. anyone who "will simply not install ssl" is actively taking a risk with the security of their data, and laziness or lack of technical skill is not an excuse.
my issue isn't whether or not digest authentication is a good or useful solution with benefit, my issue is your insinuation that openacs is an inferior product because it doesn't use digest authentication. this is not true.
as far as javascript, not everyone enables it or uses a modern browser. i work for a university and we are required to cater to the end user's lowest common denominator so ssl is our best option for secure connections.
besides... the average user knows to look for the "https" up in the browser url of good web sites when submitting security-sensitive data.
if digest really is a benefit, then to implement in aolserver/oacs while either minimizing client requirements or with the ability to disable it for the option of standard ssl would be fine.