A researcher recently disclosed several issues with the update mechanism in Drupal. A CSRF flaw could allow attackers to force admins to repeatedly trigger update checks. The team has switched the project’s infrastructure to support HTTPS so that the update processes for the Drupal core and its modules use secure channels. For now, website administrators can use a supported version of Drush to deploy updates or manually download the release archives from their corresponding project pages. The Drupal security team has enabled HTTPS updates in Drush, a popular command-line shell interface for Drupal.”]
Source: https://www.csoonline.com/article/3021172/drupal-to-secure-its-update-process-with-https.html