One small issue: https://salaryshare.me/ does not work. Considering who this is targeted at, I wouldn't want my office mates who are my co-workers to snoop on my POST to your site. Kind of defeats the purpose.
I don't think so, but why put them in a position where they'd be tempted? If I send out a link to the salary share pool on our internal chat, the assumption is that at least some people will go filling it out around that time. If someone gets the temptation to know exactly what's going on, they could start up a packet sniffer. OTOH, a StartSSL cert would prevent all of this from happening.
I imagine that this will deter people from quickly starting up a packet sniffer when they share links to your site. However, how are you able to use webfaction's cert? Do they just give you their private key? Or is it just a cert that is not really signed by anyone and the common name is set to *.webfaction.com? In other words, this does not mean that you can spoof www.webfaction.com's signature, corret?
It's a stopgap measure (because you have to click through the cert exception, because the domain name on the cert doesn't match the URL), but it will still encrypt the data just fine.
The warning will confuse some people (such as yourself); that's why the dev asked if it was okay.