Of course if you can sniff the password, you could probably figure out a way of substituting your own man-in-the-middle attack on the digest. Oh, btw, without ssl, how do you get the password to the website in the first place? Is a password replacement is used, this is just as easy to sniff.
Anyway, if you want security, or at least what is accepted as security, you need ssl. It also doesn't matter what fancy thing we do on the website if users don't have browsers which support the login method.
