This is not wrong, but not a real vulnerability either I believe, if only because, to begin with, downloads are made through HTTPS.
(Don't take my words for granted though, I'm not a security expert)
Wrt your first question, have a look at http://www.gwtproject.org/makinggwtbetter.html
You could post to the GWT Contributors group, or file an issue on gwtproject/gwt.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
To post to this group, send email to email@example.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.