Security is important and one of the things I would like to see is if we can enforce a requirement for all requests that core makes back to WordPress.org for updates and information to be https. This is the a great step to a greater level of update verification to help detect man-in-the-middle attacks.
Making this switch is going to be a fun journey and we are bound to find that there are some setups that can’t/don’t/won’t support https with the WP_HTTP API.
So before we try switching to using https in trunk I’ve update the Beta Tester plugin so that it forces all requests to api.wordpress.org to happen over https. I’ve also updated the api so that if you make a https request it will return https references in the results.
Please go for and test this on your test installs and let us know of any issues you find here in the comments or on the trac ticket.