Funny you mention this as we had a conversation about this only hours ago
As mentioned by Sebastian a while back, we are well aware of the pitfalls of not having TLS across the marketplaces and are actively trying to fix this. There has been a few experiments using GitHub’s camo proxy and rewriting URL’s to use a CDN however at this stage neither of those ideas are production ready for us. One option that has been raised is to put everything except the user generated pages under TLS however this still leaves the issue that should you visit those item pages the session will be unencrypted - thus defeating the purpose of encrypting it. Taking this route would make the TLS hole a little smaller however doesn’t completely solve the issue we set out to fix. Additionally, when we roll out TLS for general availability we also need to be 110% certain that our tools (such as DDoS mitigation) can functionality effectively on both traffic types without leaving gaps.
On a side note, it’s worth mentioning that while TLS is a key part of security it’s definitely not the silver bullet. The last couple of months have seen a few projects underway which have been addressing other aspects of the security sphere to limit or completely remove some vectors from our marketplaces. While this hasn’t always been visible to users, it has definitely been happening.
I’m hoping this gives you more of an idea of where the situation is at.