In recent years, the technical reasons blocking us from implementing full-site HTTPS have mostly become moot. Certificates are readily available, and even though our parent company likely wouldn't be going through Lets Encrypt or another free issuer, cost is mostly negligible. Server load at our scale (many million page views per month) also used to be more of a concern, but modern CPUs have largely rendered this negligible, as well. Google publishes numbers stating the total overhead from TLS encryption/decryption on their web frontends is about 1%, even at their massive scale.
So, the real reason we can't go full-HTTPS? Ad networks. Quite simply, our advertising fill rates would drop by between 50 to 60% if we went full HTTPS today, and this would be economically unsustainable. Our leadership team here is all tech savvy, and several of us are even developers ourselves in our day jobs - we're well aware of the benefits and justification for an HTTPS internet (not to mention, we'd also love to be able to take advantage of HTTP/2 for site performance). But the decision today, with the current state of the advertising industry, is one where we must decide between going full-HTTPS or closing the site's doors because it loses too much money.... and given that constraint, the choice is obvious. We don't bring in enough revenue from direct-sold ad campaigns or Overclocked account subscriptions to make up the difference, and I don't have a problem being open about this fact. At this point, its purely a financial consideration.
We hope that as the rest of the internet continues its march towards full-HTTPS by default, so to will the advertising networks who we rely on to pay for our operations - but that time hasn't come yet. As soon as we can make a move, we will. In the meantime, rest assured that your usernames, passwords, registration info, etc are all collected from HTTPS pages and sent back to HTTPS endpoints.
Thanks for the understanding.