Another option is to use a non-default port for the second SSL binding... you'll have to use URLs of the form https://foo.com:1337/ but the security will be preserved.