how is it secure when a miner is using insecure http to send the user and password?
"No Mr. Bond, I expect you to die."
Translation: it isn't. If you mine in a pool and this fact worries you:
A) ask your pool admins to enable HTTPS urls for miners
B) move to a pool that uses HTTPS for miners
C) move to a pool that allows you to create miner-only passwords (e.g. you can use them in a URL for your miner, but they cannot be used to log in to that pools' web site to change your account, a la bitcoinpool.com)