The HTTP version of the website should unconditionally redirect to the HTTPS one
I inadvertently typed “bugs.goffi.org” and logged in there, sending my credentials in clear on the network. The website should be configured to never allow that mistake.