Comment 8 for bug 1473091

No, it has nothing to do with certificates.

Launchpad needs to set the domain of its session cookies to ".launchpad.net" so that they're visible by its other virtual hosts (code.launchpad.net, bugs.launchpad.net, etc.), but this also causes them to be visible to all other subdomains of launchpad.net. We also set the "secure" flag on those cookies, which mitigates this by ensuring that browsers at least only send them over HTTPS. However, if ppa.launchpad.net were accessible over HTTPS, then any page there would be able to exfiltrate your session cookie. While I don't currently know of a way to get ppa.launchpad.net to serve arbitrary content with Content-Type: text/html, it's a service that hosts a great deal of user-generated files, and it wouldn't take that much to construct abuses of it that would confuse browsers. We need to move it before using HTTPS is safe.