There is an expectation that URLs which do not produce "this certificate is not trusted" messages are safe for people to use to disclose sensitive information like credit card numbers. The average consumer has been educated to this effect at great length by commerce-oriented websites and browser vendors.
Sorry, this is the night soil of a large and very well fed male ox. Anyone who believes that more than 20% of the users have been educated to do this hasn't gone around spoofing their own https sites on their wireless lans and measuring how many passwords they get. and I'm being *generous* with the 20% - I typically get a valid password 9 out of 10 connections to a spoof site. What lusers have been educated to do is "Oh look, an annoying box has popped up. click the button to make it go away so I can keep going." I seriously doubt they differentiate it too much from popup ads for porn sites or herbal viagra. -Bob