I'm not sure I follow this line of thinking.
Encryption doesn't make a server secure - it just reduces the visibility down to one-to-one conversations.
If your server allows UserA to enter into your system via HTTP then HTTP is misconfigured.
If your server allows UserA to enter into your system via HTTPS then you are secure?
Who is UserA? Should they have been allowed? [those are security questions - HTTPS alone can't answer]
The unencrypted protocol use should ONLY be for cert authentication and renewals.
If they are allowing "other things" to happen over HTTP, then they are NOT doing things correctly.
But you are always at the mercy of the product in use (on their R&D, programming, etc. for both HTTP and HTTPS)
IF YOU ARE EXTREMELY PARANOID (I mean "security conscious" [like me 
] then proxy the HTTP traffic through another system and only allow the authentications to reach the DSM)