http://code.google.com/p/webfinger/wiki/WebFingerProtocol
The code now looks for the host-meta file via https. If it doesn't find it it
falls back to http, but causes the response's 'insecure' attribute to be set
to True.
The 'insecure' attribute also gets set to True if the user's XRD URL is not an
https:// url.
This doesn't do any checking of certificate validity, or check whether the XML
is signed.