Peter Westwood, better known as Westi in the WordPress community, recently announced that he has developed and implemented some new methods for wordpress.org so that interactions can now be made over SSL.
Whether you’re just downloading an update of WordPress or interacting with the wordpress.org API, both calls and responses can now be made over SSL.
While there’s nothing super secure being sent over the pipe to wordpress.org, it’s still the best practice to be using SSL in the first place. Well, there’s almost nothing super secure. The one piece of data that could be considered necessary to secure is the salted hash generator.
I went ahead and tested https for it and it worked just fine: https://api.wordpress.org/secret-key/1.1/salt/
Just for the sake of testing, I also tested loading the frontend of wordpress.org, such as the support forums. The page loaded just fine, which leads to believe the wordpress.org team could at one point, switch over to enforcing https on wordpress.org across the entire site.
Peter is asking that you try making the calls over https and see how things are working. You can follow the discussion on ticket #18577.