While people expect/desire that form to be served via SSL, what matters is the URI to which the form submits, and whether it submits over SSL.
You could apparently serve the author a form over SSL, have it post to a malicious server, and he'd be none the wiser because he's focused on whether the empty form was sent over an encrypted socket.
Every link in the chain should be over TLS. Otherwise, you can change the unencrypted part to point somewhere else. Both the form, the site linking to it, and the URI it submits to should be over TLS.
As Facebook learned, submitting to an HTTPS server isn't enough, the form must be too. Otherwise you can be man-in-the-middle attacked on the form page. Better yet, serve everything over HTTPS, so people can't change the links.
So what what you mean to say is that if you don't use SSL all the time, somebody with a sniffer can pull you session ID out of the air and impersonate you by hijacking your session.
That's VERY different for a man-in-the-middle attack.
Do you think the coffee shop should have offered encrypted wifi?
You could apparently serve the author a form over SSL, have it post to a malicious server, and he'd be none the wiser because he's focused on whether the empty form was sent over an encrypted socket.