I would be surprised if SMF has problems running over https. Most web software works the same whether or not the protocol uses encryption. Did you read that SMF has such problems somewhere? I didn't find anything with a few minutes of web searching.
Even if you use a self-signed certificate you will need a dedicated IP address. A shared host will usually charge extra for this, though I'd be suspicious of a host who wanted more than $25/year for it*. I do not think there is any upside from buying a "real" cert for protecting a message board. The certificate vendors are supposed to validate the identity of the organization they issue certificates to, so that (for example) a certificate that claims to validate a bank was really issued to a representative of that bank and not a scammer. But there is no utility to identity-validation for a site like this. The only downside of a self-signed cert is that it will raise browser warnings that may scare off people who don't understand the meaning.
It is true that strong encryption is not a privacy panacea, not because it is breakable by any known technique but because there are ways to bypass it (tap your keyboard to record passwords and conversations, get a warrant to siphon information from the site host's hard drives, lock you up and torture you for information in the name of national security...). But properly implemented, it does require a snoop (whether a government or a lesser criminal) to expend more effort, and become more noticeable, to get at electronically stored and transmitted information. To put it another way, even bank vaults have been stolen from, but not nearly so frequently as cars with windows rolled down.
Another good reason to use encryption for even the most innocent activities is that it frustrates government weasels who are used to scanning internet traffic as a matter of course. The
NSA did it without regard for the law. Their counterpart weasels in the UK are
apparently concerned that the arms race between record companies and pirates will lead to an explosion in crypto use, making it much harder to inspect internet traffic. I hope they all have a good long cry about it and one day I can watch the video on Wikileaks.
Encryption isn't just for email and web sites. Phil Zimmerman, creator of PGP, has more recently developed a secure protocol for VOIP telephone conversations called
ZRTP, and implemented it in
Zfone software for PCs. Even more exciting, a
new product called RedPhone implements ZRTP on Android smartphones, so you can have a secure phone in the actual form of a phone instead of a PC. Now it is true that Skype also claims to encrypt all communications, but unlike these ZRTP implementations they do not publish source code. That means that the Skype implementation could have flaws or deliberate back doors built in, and indeed there is substantial circumstantial evidence that they've assisted law enforcement in the past. I would guess that ZRTP implementations for iPhone and other smartphones will come along too, and in the long run all mobile phones are probably going to be smartphones. Since ZRTP is just a protocol riding on top of the telecom networks, there is nothing that CALEA or comparable legislation outside the United States can do to compromise the security of these calls.
*Maybe not true anymore. IPv4 address space is running out, so these addresses may be dearer now.
