The reality of cross build injection has been discussed for many years, I even linked to an XBI talk in my blog post announcing the availability of SSL.
The reality is that prior to moving to a CDN, it was going to be pretty intensive to offer SSL on the scale of traffic we were seeing. The priority at that time was ensuring higher availability and providing multiple data centers with worldwide loadbalancing.
On our first CDN provider, they could not perform SSL certificate validation and thus were themselves susceptible to a MITM attack. So the decision at that point was to run SSL off of the origin server. We wanted to make it essentially free but wanted to ensure that the bandwidth was available for those that cared to use it, hence the small donation.
The situation is different today with our new CDN, they can validate the certificates all the way through and that's how we intend to deploy it.
We won't be able to enable full https redirections for all traffic since this would cause havok in organizations that are firewall locked and for tools that don't follow redirects. Each tool would need to adopt the new url. I've already suggested this change occur in Maven once we launch.
I am not familiar with Sonatype and what relation it has with maven, but have you considered adding BitTorrent protocol to maven? This might help reduce traffic considerably.
He was speaking as a rep of Sonatype, as am I (head of engineering for same). We'd be happy to speak to you more. There is a lot going on from a community perspective and this project has been in the backlog for a while and now rapidly working its way to the top given the apparent sea change in attitude associated with security.
I'm pretty surprised that this article is news. Sonatype has been open about SSL for Maven Central since there has been Nexus or maybe even longer. I remember Jason van Zyl talking about this seven or more years ago.
Signatures have been required on Central for years and there are tools to verify them, including repository managers.
We strongly do not believe that you should entrust your private key to anyone else for signing, which is what others have done to make it easy....yet less secure.
