[CentOS-mirror] Redirects to https considered harmful

So let's get this straight..

There are a few CentOS mirrors that redirect their http traffic to 
https. This is fairly easy nowadays with Let's Encrypt and their 
automatic cert installation scripts. While I believe that the intention 
is good, I'm afraid the forced redirects are not actually helping.

I can't speak for other projects, but for CentOS mirrors, I believe that 
you should respond using the same protocol the request was sent. My 
concern is that there are organizations (hospitals, banks, research 
centers etc) that want to make sure no confidential information leaks 
out from their organization. Connections to random HTTPS sites may get 
blocked at their firewall because the firewall can't see what's inside 
the request.

It should also be pointed out that the scripts behind 
http://mirror-status.centos.org/ will (currently) happily follow all 
kinds of redirects to retrieve the timestamp file. However, the scripts 
that create the actual data for mirrorlist.centos.org for each 
repository are unable to access https URLs. So the moment you set up 
that redirect to https, your mirror stopped being included in the output 
of mirrorlist.centos.org.

I have already tried reaching out to a few mirrors doing such redirects, 
but I have not received a response yet. Those mirrors will eventually be 
disabled after a few more automatic nag emails, but I'm hoping that 
those mirror operators would exclude their CentOS mirror traffic from 
the redirects before that happens.

To be clear, you are free to offer CentOS files over https, but the 
redirects should be disabled. I can see the CentOS mirror system 
supporting https and mirrorlist.c.o (optionally) handing out https URLs 
some day, but even then, I believe that http requests should be answered 
with http, and https requests should be answered with https.

Thank you for your time!