Why use HTTP for checking if there's an update? I realize this is not a security issue if the only thing it does is say "Mod is outdated", but if it actually pulls something in it would be.

You can get a free TLS cert here. https://letsencrypt.org/

Found out about this because updating to RebornCore-1.10.2-2.7.2.45-universal.jar caused this in the server output(forge 2092) http://pastebin.com/PSZ6N2Qc

EDIT: Apparently your site does have a cert, but HTTP is still allowed. Why?
EDIT2: Just found out there is one more error block http://pastebin.com/7vjGXwX8

Oh so it's about adding root CAs.. I wonder why java feels the need to handle that.. Anyway, could you please clarify whether the mod actually downloads anything over HTTP?

It downloads the versions file, and custom shield textures for certain people only when needed.

so are you saying to use https? The only reason we dont, is only very new versions of java support clouldflares https cert, in a few months when people update this will be possible.

so are you saying to use https?

Correct.

Is this feature used simply for saying whether something is outdated or does it actually download files?

The only reason we dont, is only very new versions of java support clouldflares https cert

Seems like the cert is only using TLS 1.0>1.2, and not SSL v3 which is a security risk. It strikes me as odd though that newish java versions wouldn't have TLS support.

Looks like update 101 supports it: http://www.oracle.com/technetwork/java/javase/8u101-relnotes-3021761.html but I can do some testing

Closing this as I dont see an issue with this