SSL signin should not be enforced. HTTP should give a big warning, but SSL is not fully supported in all clients.
1. force it on your servers
2. only include content from your servers
It becomes almost impossible to mix insecure content at this point.
There are a lot of hard things to do when scaling, SSL isn't in the hard class.