We are aware of this problem. One way to solve it, is to keep the connection secure until the order overview page. Any link from there should redirect the user to a non-secure page.
We hope to include this solution in the next eZ publish and Paynet direct release.
This was the solution I thought of as well, but were unable to locate the right place in the PHP code. Would you know which file this redirect happens?