Often websites would work with https but they have an invalid/expired whatever certificate. But why not use an encrypted connection in this case too? The connection would be still encrypted, so it would still protect from others listening.