Right, but it's even EASIER (less cpu expensive, less complex software, less clearly illegal, etc) on plain HTTP traffic. Not to mention that plain HTTP leaves you completely vulnerable to passive eavesdropping, which is completely prevented with a simple unauthenticated https.
We have this weird situation where many sites avoid using self-signed encryption in favor of *plain-text*. Thats broken. The preference should be authenticated certs from trusted cert vendors > authenticated certs from minor cert vendors > self-signed >>>> plain-text.
From the users perspective plain-text mode and self-signed should look exactly equal: Both are not authenticated both could be forgeries.
There is no need to single out self-signed HTTPS:, and doing so reduces user security rather than increasing it.