I am also concerned that cabal does not have support for SSL, but hackage must come first and at least then a sufficiently paranoid person can download their packages over https and ad them to their cabal sandboxes.
We need an SSL library that cabal can depend on. This means that it needs to be cross-platform, not pull in too many other depedencies, etc. Someone needs to investigate the options and perhaps write a new binding if needed.