We will be purchasing certificates for the network this week (dev is already in place), but there's still a lot left to do on the move to SSL. If you're curious about the details, you can read a recent blog post I wrote about it here.
It's far from a trivial task, but we're moving towards making SSL available and then the default. I'll continue to blog about the SSL implementation as we go (websockets may be interesting for example).
If there are current questions, I'm happy to answer them. As for this one: why aren't we doing anything? Well we are now... Why weren't we? Because it's complicated and wasn't even a possibility before now. Third party content (ads, MathJax, etc.) had to support it, and it didn't until very, very recently.
Update #1 Jun 20th, 2013: The setup/test procedures of the migration to SSL configs was much more involved when we saw how to do it safely on production. We will be testing our internal/virtual load balancers very early next week then prepping to deploy certs to production. The site code will take longer (making https:// the default, 301, canonical, etc.), but this will make SSL available soon as we can.
Notes: websockets are almost complete unknown on our intended setup, you may see intermittent connectivity with real-time as we figure out what fun times are involved with our setup and how SSL sockets will best work.
Update #2 May 22nd, 2017: We have rolled out HTTPS across the network. Next up is chat forcing https:// (even with mixed content) and then secure-only cookies. Look for both of these to happen soon.
