A possible solution is to use HTTPS on the onion site as well. Facebook does so on their hidden service (https://www.facebookcorewwwi.onion/) and they actually have an Extended Validation certificate so the users can easily see that they are browsing the real Facebook site and not a phishing site.
I think this is a minor issue after all, and I like the idea of having a Tor hidden service address for this forum as well.
or if you are using Tor:
Now that I look at the Facebook hidden service address, I think that they must have performed quite a lot of number crunching to get an address like that. If one can almost completely fabricate the address (basically, a public cryptographic key), does it also mean that the cryptographic scheme may soon become vulnerable to attack? Tor already supports a longer addressing scheme known as v3 which will be safer.
The alt-svc approach looks interesting too.