Use secure origins for tools, contribs, and update/key responses

This MR contains three separate commits; please see each commit for its description and surface area.

Overall summary: this MR updates the "contribs" and "tools" bootstrapping phases to use secure origins (i.e., HTTPS) wherever possible. Where a given origin only supports HTTP, I've marked it with an XXX comment. To do this, I checked each origin for HTTPS support; if a given origin didn't have support, I then looked for an equivalent official upstream with HTTPS support. If there was no equivalent official upstream, then I retained the original HTTP-only origin.

Separately, this MR also updates the "status" and key directory URLs to use HTTPS. I confirmed manually that these domains are serving valid certificates.