Your use of the phrase "even if" makes me think that you are saying that loading a form on a non-https page would be secure when that is emphatically not the case at all.
I know that http served https form target login is an anti-pattern.
I was saying that a) firesheep does not have anything to do with passwords (which he implies it does) and b) it would be prevented with ssl anyways. I don't even know why he brought it up.
