its encrypted by default. The whole system is built on public/private keys so it doesn't really matter if its "http" or "https." In fact, as I understand it https would require approval by the certificate authority and registration and all that, which just reintroduces third parties. Best to avoid them entirely, imo.