Inside user home https://vrchat.com/home, "Download VRChat SDK" button links to https://vrchat.com/download/sdk . And it is redirected to latest SDK file. Currently it's http://files.vrchat.cloud/sdk/VRCSDK-2019.03.26.10.37_Public.unitypackage . (The host use URL redirection by HTTP response status code 302.)

Though its HTTPS version https://files.vrchat.cloud/sdk/VRCSDK-2019.03.26.10.37_Public.unitypackage is available , secure HTTPS protocol is redirected non-secure HTTP with no need to.

I think this is mis-configuration increasing security risk. SDK distribution should use HTTPS.

Original reporter: https://twitter.com/esperecyan/status/1111801173315481600 Thanks for sharing.