If a form is going to submit data over a secure channel, the page containing the form should be retrieved over a secure channel also. Otherwise what’s to stop somebody intercepting and modifying the pages HTML so that the form submits the data in plain text elsewhere?