I just noticed that Hacker News, Reddit, Digg, and Slashdot all submit login information via plain HTTP, not HTTPS. The login name and password are readily apparent to anyone with a packet sniffer.
This was surprising to me. Am I missing something?
When I checked the login pages of these sites using "Inspect Element" in Safari and saw that they all appeared to submit in plaintext, I assumed that there was some Javascript or something that would override that, but I just logged into all of these sites with a tcpdump capturing the login, and verified that my credentials were indeed in plain text.
Even if the login procedure were protected by HTTPS though, damage can still be done if the rest of the session reverts to plain HTTP, Someone sniffing the wireless (or the wire, for that matter) for usernames and passwords could equality sniff for session IDs and use them to mimic you in the web server's eye (so they can read your otherwise private data, posting as you, and so forth).
So if you are concerned that your login credentials are sent plain, you should be concerned that other data (session information specifically) is too.