Apple just fixed an issue I reported to them.
To quote Apple's Security Update 2010-005 advisory text:
Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information
Description: CFNetwork permits anonymous TLS/SSL connections. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue does not affect the Mail application. This issue is addressed by disabling anonymous TLS/SSL connections. This issue does not affect systems prior to Mac OS X v10.6.3. Credit to Aaron Sigel of vtty.com, Jean-Luc Giraud of Citrix, Tomas Bjurman of Sirius IT, and Wan-Teh Chang of Google, Inc. for reporting this issue.
In other words, this means you can be any site, with a lock, as long as you can do some DNS trickery. Try for yourself:
1. openssl s_server -debug -accept 8080 -nocert -cipher 'ALL:NULL'
You'd normally want an error to show up there.... looks like this didn't go totally unnoticed, though!
Props to cstone!