I use the HTTP AUTH plugin to authenticate users and I ensure that this is only ever done over SSL (in my Apache conf files)
However, WordPress then sets an "auth cookie" on the users browser which is used to authenticate the user for 2 weeks. The user can easily swap to HTTP mode and therefore an attacker could snoop the auth cookie and obtain login rights for that time period. IMHO, this is a fairly big security hole in WordPress in general (even for the default authentication mechanism).
Could you please support an option in your plugin (or let me know a simple way how to implement it myself) so that WordPress only requests the auth cookie when the user is using HTTPS? (BTW, I do need to keep the HTTP version of the site up for normal visitors)