I tried a Web RPC call using https (to get a user's credits...); it didn't work, while an http one did. Is support for https on Web RPC calls elective? (that would be unfortunate if they are...) Do some projects support that and others don't? Any rough idea of the percentage of ones that do?? (wild guesses accepted...)

As every project is a self controlled instance of BOINC it is the project's responsibility to get a SSL-certificate and implement https. So far I know of 3 or 4 projects (out of maybe 70 public ones) that have SSL enabled. So if you are writing a tool that communicates with different projects you should somehow implement a logic to see if the project supports https and remember this setting.

Answer: It is elective.

Suggestion: A friendly recommendation for supporting https should be included in the documentation. This way accounting software that is tracking credits cannot be sabotaged by man-in-the-middle through DNS poisoning, and thus users get fictitiously awarded points when they should not...

You just posted before I did above; I also found that very few projects support https. My guess as to why is because their boinc is often running on a subdomain URL (for example: boinc.project.com), and they did not pop the extra bucks for a wildcard SSL certificate.

If those projects having SSL and presently using subdomains were to support an alternative URL path (project.com/boinc) by adding a directive for rewriting to their Apache conf file(s), then it would work...