There is an expectation that URLs which do not produce "this
certificate is not trusted" messages are safe for people to use to
disclose sensitive information like credit card numbers. The average
consumer has been educated to this effect at great length by
commerce-oriented websites and browser vendors.
Sorry, this is the night soil of a large and very well fed
male ox. Anyone who believes that more than 20% of the users have been
educated to do this hasn't gone around spoofing their own https sites
on their wireless lans and measuring how many passwords they get. and
I'm being *generous* with the 20% - I typically get a valid password 9
out of 10 connections to a spoof site.
What lusers have been educated to do is "Oh look, an annoying
box has popped up. click the button to make it go away so I can keep
going." I seriously doubt they differentiate it too much from popup
ads for porn sites or herbal viagra.