Font loading update: All HTTPS, all the time
We’ve made this change as a response to the recent vulnerabilities and exploits in the OpenType and TrueType font formats. A malicious attacker could use these vulnerabilities to modify a Typekit font while it is being transmitted from our servers to your browser. Serving fonts (and other resources) over HTTPS ensures that the communication channel between your browser and our servers is not compromised and fonts are delivered in a secure way.
Changing to this new embed code won’t affect your website negatively. You can safely replace (or update) the protocol-less URL with the secure version and your site will continue to get fonts — only in a more secure way. You can also do this if your site only supports HTTP; it is no problem to load secure resources on a HTTP-only website.
We actually switched over all our font and CSS loading to HTTPS about a month ago. We’ve been monitoring our performance metrics since then and haven’t seen any significant change in performance. We won’t be shutting down (or redirecting) our HTTP endpoints for the foreseeable future, since many old kits and web pages still rely on them. However, we strongly recommend that everyone update their embed code for a safer web.
Please let us know at firstname.lastname@example.org if you’re concerned about this change or if you have any questions.