Hmm. I can't replicate this. If I try to access the site via HTTP the connection is always redirected to HTTPS. If you can provide steps to reproduce accessing via HTTP I'd like to see them, thanks!
I'm glad it's fixed now.
Regarding offlineaddress, once I've loaded the site over SSL, what do I do to make sure the code hasn't been tampered with by a hacker?
Not much, as I've explained
here, dedicated hacker will always succeed.
For power-users the easiest and obvious way is to open terminal and type:
git clone https://github.com/mikewoods/OfflineAddress.com
After that you'll have the whole site locally ready to run, you don't even need to unzip it.