Right now, Bitcoin Addresses are the only option if you want automation.  If you're only taking donations, or only handling manual transactions, IP Addresses might be better suited.  That way they can send you comments or messages about their account info.

Isn't that "unsafe"?
Say I am an exit node listening for bitcoin transactions and grab them?
Or is everything public/private key encrypted?<sup>[1]

[1]Which is my guess.</sup>

That's a good idea.  At the very least a warning dialog explaining that it'll connect to the IP and send the information cleartext, giving the chance to cancel.

That's not "for everyone", but for those up to buy or sell some stuff more... strange.
I believe the core aim of BC is to be an easy to carry non-centralized currency, anonimity is a surplus not a mandatory field. Otherwise we would rather call it TorPay.
So, unless the transaction is for the a new pedo movie, some crack shipment or some stuff alike, there's no reason to use Tor, and therefore no exit nodes and no proxies. In the end trimming your advice: If you're up to make a "non conventional" payment over Tor, use the destination's BC Address, if you're buying or selling something normal, use IP or BC address. 

Then we've the eternal ballance: Usability x Security. Too much security = too few usability (the most secure computer in the planet is... anyone since it's switched off) and too much usability = too few security. Ballance is better than paranoia. 

I agree, this is a pretty large security hole.
We need a bug tracker for this stuff.

I don't see the security risk of being able to intercept or eavesdrop on a Bitcoin transfer.

All transactions are broadcast to all Bitcoin generating nodes, anyway, and the transactions are impossible to alter or forge (because they're digitally signed).

A man-in-the-middle could drop the transaction, but SSL doesn't fix that-- if they're relaying SSL traffic they could drop your SSL-encrypted transaction, too.

There are good non-security-related reasons for encrypting Bitcoin transaction traffic, though (makes it harder for governments/ISPs to do deep packet inspection to selectively drop Bitcoin traffic, for example).

But a man in the middle can also intercept the key negociation for OpenSSL and decrypt the packets.
If BC goes as payment standard other attacks may come along, as forging hashes.

This round about for the eternal question: Does it worth it?
Like Windows and Linux, none is safer than the other, Windows has registry, in time it has autoexec.bat, but so does Linux have .bashrc, inetd, xined and several ways to put "crap on boot", to not mention Linux is OpenSource and this may be a security hole because Open Source doesn't mean "Open only for the right people", but "Open for the wrong as well". Still the number of virus and malaware for Windows is astronomical compared with those available for Linux. Why? Simple... Windows has the biggest market share. If it happens to be the other way around than it would be more profitable to make crap for Linux than Windows things would go the otherway around.

theymos:

Like I said; if it worth it.

There're some random vars to add too, as to know when someone will send something.
But, yes, TLS would be nice, why make things easier to steal when we can do it a bit harder? TLS adds some good security without cut too much usability.

I wouldn't care for ISP's anyway, if you mistrust them that much as I said before, you rather not make a phone call anymore on your life, taken telecom companies can easily tap it. But for those using proxies, some user-run proxies, yes, authenticate over plain text for those is a russian roulette.

And if you leave your house you can be hit by a car. Oh! Wait! If you remain at home a plane may crash over your roof. 

MiM attacks that can perform defacing can perform it on all the ways - with or without SSL. Like spoof your DNS and make your browser believe to be seeing the "right page".
The only way to be 100% secure on informatics is to be offline with the computer switched off from power. As long as it is on, there're a few "thousands" of possibilities and... sh*t happens. 

Leave Tor aside, that would be more "Man in the Center" rather than "Man in the Middle".  
As for the attacks on websites with BC addresses, you may deface them, and you may spoof even without the server's Private Key. Normally people don't look to the CA, so as long as the CA is recognized it will ring no bells - and within this "world", specially for Tor users, Verisign Certificates aren't the normal thing, but CACert and other free services alike (means also many users are already used to press "Continue" on invalid certificate flags).

If by anymeans you got the server's private key then it doesn't make no difference, for your browser that Certificate is signing that address and, as far as DNS can tell, that server is there.

Edit:
To not mention the obvious: If you know the destination's IP Address why on Hell you would need to use Tor to pay?? And if the address would be something like <some unreadable hash>.onion then you wouldn't need SSL, because inner Tor data is already crypted.