The login page has code to force ssl if it is available, but I'm not sure that should be the job of a feature placed on a page ie I don't think I should add code in the module control to do the same.
I agree it is best to avoid the error but it is best to avoid it by correct configuration.
In this case the error happened on the demo site because I configured it to keep authentication cookie secure which is not default configuration since we cannot assume that ssl is even available in other installations this has to be set explicitly on purpose. However I agree that errors on the demo site don't help promote the product and should be avoided. So in this case since I cannot trust that people trying things out on the demo site will know how to make good choices in page settings or site settings I have just added a config setting to force ssl on all pages so this error cannot happen on the demo site and the red warning will also never be shown.
<add key="ForceSslOnAllPages" value="true" />
Myself I'm not a fan of the sign in module to begin with, I think security functions should be isolated on their own pages but people requested this feature and I provided it and tried to make it such that people will use it correctly and securely if they do use it.