The configuration for certain pages to be secure is done in the config.xml
file of each module. Let's take as example the checkout page. In app/code/core/Mage/Checkout/etc/config.xml
there is this:
<frontend>
<secure_url>
<checkout_onepage>/checkout/onepage</checkout_onepage>
<checkout_multishipping>/checkout/multishipping</checkout_multishipping>
</secure_url>
....
</frontend>
This tells Magento that the pages /checkout/onepage
and /checkout/multishipping
should be secure if HTTPS is enabled.
The decision if an url is secure or not is made by this line:
$this->_checkShouldBeSecure($request, '/'.$module.'/'.$controller.'/'.$action);
in Mage_Core_Controller_Varien_Router_Standard::match()
method