First of all, thank you for the writeup!

In the light of the deserialization vulnerability, is it dangerous for Gradle to download mods over http?
I'm talking about allowInsecureProtocol = true like here.
When discussing the issue with the GTNH team, the following response was given:

Https on the maven server would be nice, but it's not a security issue. All jars going there are uploaded from microsoft azure (who run github actions), and downloads are checked against checksums there. If an actor has access to mitming malware, they can as easily install custom https certs on your. Https prevents ISP sniffing at a small scale: at large scales, obtaining fraudulent https certificates is not that difficult and has been done before by state actors, on a tiny scale infecting someone's PC is more dangerous and then no protocol can save you.

What are your thoughts on the security of the given situation? Is it indeed secure, or did we miss a vector that appears due to http? I'm not a part of the GTNH team, but I'm concerned about the security, so I wanted to check.

We're living in 2023 and getting an HTTPS certificate is easier than ever, so I think HTTPS isn't just something "nice to have". Especially in the context of possible supply chain attacks that may arise from compromised build dependencies.
Download checksums also don't provide any security if they're served from the same HTTP-only webserver.

If you're only using a trusted network from a trusted provider then the risk of MITM attacks needed for this attack is pretty low. But since the file you linked is from an example gradle project, I don't know if this situation should be assumed in every case. It just creates an unnecessary attack vector that can be prevented easily.

So I would say it's not a super critical vulnerability, but it can definitely be exploited (depending on the situation).

If you want to read more about this topic, here are some links that may be useful:
https://blog.sonatype.com/central-repository-moving-to-https
https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb
https://github.com/mveytsman/dilettante

(btw. I'm closing this issue as it has nothing to do with this repo but feel free to comment here if there are any more questions regarding this)