Question HTTPS

Let me start by making one thing clear: this is not a complaint. This is not a criticism.
This is not even a current concern of mine.
But it is a bit of a concern for the future.
Briefly:
How far in the future, in the site roadmap, is implementation of HTTPS? I notice that currently it doesn't use HTTPS, not even for the login form.
Personally, I don't care. I don't really need it. If people who know me figured out the sorts of sites I visit and contribute to, yes, it would be mildly embarrassing. But not a big deal. I'm already considered weird.
Even if someone MITM'd me and stole my site password, it would be an annoyance but still wouldn't be a really big deal -- I don't repeat passwords, and I have alternate channels to contact the TINCC and request a password reset.
But there are people for whom it IS a big deal. Big enough that they will hesitate in participating in a forum with no option to encrypted access.
And nowadays there is a general push towards HTTPS; browsers are highlighting more the lack of it on sites, and security products and services are getting more alarmist about it. I wouldn't be surprised if at some point security programs started blocking non-HTTPS sites by default.
Which is a problem, if potential new readers/forum members start getting "Bad website! No soup for you" alerts. Less technically sophisticated users may be scared away, thinking it's some sort of malware website.
Now, I don't know how hard it is to implement HTTPS. But I do know that it used to be pretty hard and sort of expensive, but that there are efforts (like Let's Encrypt ) to make it easier and cheaper.
I don't know how hard it is currently. I don't know how hard or how easy the hosting service makes it, nor how hard is to make the CMS work correctly with HTTPS.
I don't expect to see it anytime soon; these things take time and work to do right, and I know that there are other priorities (such as putting food on one's table).
But I hope it's somewhere on the roadmap.

If so, and it is not an unreasonable financial burden (it can't be, right... far to many small sites that use forums or commenting that would need HTTPS for passwords) then I will work to get us migrated asap.

I can say, from personal experience, that letsencrypt.org/ is completely free and well-run. The only downside is that you need to replace the certificate every 2 months (with a 30-day grace period, for a total of 90 days of certificate validity).
Good folks running that operation. Funded by grants.

There's some unusually esoteric coding that has to be done; to get Joomla to work with it.

That’s unfortunate. If the problem is just getting images, styles, and links changed over, you can fix that with a single header() call:ref: www.w3.org/TR/upgrade-insecure-requests/#example-navigation
Based on that statement, I assume there’s something bigger than that that’s a problem.

For those who are unfamiliar with the nuts and bolts of configuring web pages to be served up via https, it might help if I tossed in an overview of what is required. For a web server to provide pages over HTTPS, it has to have a file (called a certificate) that contains the private key used for the encryption. In addition, the process (known as a daemon) that provides the http services has to be configured to used a given certificate to serve up a particular set of web pages. This configuration work is something that normally has to be done by the server administrator.

In a 'classic' (cira 2000) web hosting environment, the entity that creates the website has the ability to manage the directory where their webpage resides, along with some space outside that directory so that sensitive data can be on the server without being accessible by someone browsing the web page. They do not have the ability to alter the daemon configuration. While some provisions are made for certain types of access controls (though a mechanism known as .htaccess), this mechanism can't be used for https configuration. While I am not familiar with the google web hosting environment, I have gotten hints that this may be the type of environment that the site admins are working in.

The alternative (such as is provided by amazon web services) is essentially a 'bare' VM. The entity using this type of service is responsible for everything from the operating system on up. While they have the ability to configure the http daemon for https, they are also responsible for patching the operating system and http daemon as updates are released.