The force.com API documentation mentions logging in over http, but this initially failed for me. I got an error that my username/password was incorrect. However the exact same URL and credentials worked fine as long as it was https. After beating my head against it for a while I discovered it is controlled by a security setting in the force.com org.
By default, force.com requires HTTPS connections. This is easily disabled:
Setup -> Security Controls -> Session Settings, then disable the ‘require secure connection (HTTPS)’ checkbox.
