I’m not quite clear. You are saying the browser replies with a password, which is to say automatically logs you in? Or are you referring to the constant authentication you get with HTTP Auth, which is rarely used by these web sites. Auto-login would be a major new feature in browsers, usually right now the most they do is fill in the userid and password and let you click if you want to log in. That’s usually the right thing to do because there are other choices you may want from the login screen.

However, for that we already have this level of protection. The password auto-fill is only for a site you’ve confirmed you want to save a password for (whitelist.) Not for anywhere else. SSL is not involved, though I have in the past suggested browsers whould detect, and seriously warn, if a page that used to be accessed by SSL suddenly becomes non-SSL or changes certificate, and should not password auto-fill.

Right now if you go to a phisher and enter your password in a normal password box, the browser will say, “Do you want to remember this password?” This is a phishing wakeup for smarter users, though others are fooled in spite of this. My proposal was in effect to change this warning to be “You’re using the userid/password you use for your bank at this site, which is not, as far as we can tell, your bank. This could be somebody trying to trick you. Please read the anti-phish guide, and then confirm that either this is another login page for your bank, or that you wish to re-use your bank userid and password with another web site”

But your proposal is, as far as I can see, what already happens at least in Firefox (for both SSL and non-SSL)