reCaptcha verification is hardcoded to use plaintext HTTP
The reCaptcha API which BridgeDB uses hardcodes the CAPTCHA verification submission to occur over plaintext HTTP. See their source code and grep for 'verify'.
Their API is also blocking. BridgeDB would probably go faster if it were asynchronous.