I've just set up a proxy and run all my request through that proxy.
I investigated several different applications: they pass login and password pair raw, i.e. I can grab them from POST-request parameter.
How should it be implemented to make it more secure? (I haven't investigated gmail and facebook yet, but I think they don't have this issue. Otherwise any Internet-cafe can collect all accounts of its customers, for example).
P.S. I investigated sites written in JSP and GWT.