- compat doesn't do certificate checking at all, so the only thing https brings us is end-to-end encryption - but no authentication.
- for core, there are some issues with the httplib2-as-externals that are easiest to fix by maintaining a port in git. This also means it's relatively easy to add WMF-relevant certificates to the cacerts.txt. I've requested a new repository in gerrit for this.