Register not over SSL?
So, unless I'm missing something, this seems bad:
I've enabled (and enforce) logins to be over SSL (HTTPS), and it's working as intended. However, there seems to be no way to configure the system to use SSL for the registration phase. Which means, unless the user is very careful and explicitly changes the URL to be https:// when he registers, he'll send his password unencrypted over the wires.
I've temporarily fixed this myself by forcing the form request to go over SSL (modifying the template), but shouldn't this be configured similar to the login box? In fact, I think if I enable the "force" login over SSL feature, registration should also always be over SSL. A nice UI might also offer an "register securely" alternative link.