I appreciate this is a difficult one, but I think the idea of a warning like this is a good one.
However the current warning has too many false positives, so people will get alert fatigue and ignore it when it is correct.
It would be more useful to reduce the false positive rate and only report when the plugin is confident something bad is happening.
Before completing a password into a page served over HTTP.
Submission of form with password field where the action is clearly over an unencrypted channel (Mailto:, http:// etc).
My example would be:https://gravityzone.bitdefender.com/
The password submission form tag is "<form>", and triggers a warning.
Whilst there is plenty wrong with the BitDefender's web server configuration, the username and password are encrypted and go out via XHR over HTTPS with some inhouse encryption applied on top of the regular HTTPS, so nothing in practice that justifies the warning.
Stop the false positives....