I don’t really have a problem with https the way it is, but I believe a lot of money is already going to the security certification authorities (CAs).
So for websites which aren’t too keen to avoid the man-in-the-middle attack, an https login with a self-signed certificate is good enough. This is quite decent for websites with low, local user base, where not really much is at stake. Or internal websites of companies, meant for employee access through LAN. Anyway with a good monitoring system, a malicious user can be caught much more easily in a LAN as compared to fishing for one on the Internet.
However, an http login can also be sufficient, especially for webapps which encrypt only user password and provide remaining pages of the application unencrypted. This login method is foolproof against replay attacks as well. The protocol used is CHAP.
I’d explain it, but instead of being my usual vague self, I’ll just redirect you to Paj’s page where he elaborates on this method beautifully.
Code in JSP and Javascript (js library from Paj’s site) is available here