1. HTTP is because of server reasons.
HTTPS does not protect you against "main in the middle" attack, the attacker can also get a cert from letsencrypt so you will not notice.
HTTPS with letsencrypt protect you from somebody listning in. but you do not send any personal info when visit the webpage,
However there is plans to change it when I can move the site, but that is a money issue.
2. App Cert is somethings on my list I want to do.. BUT it is a money issue.. it cost around 150-350$ a year for a code sign certificate.