The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.