As of now, its website still lacks valid HTTPS. The GitHub project contains copies of the font files, but they would presumably lack proper CORS headers if loaded from there.
However, as I am using a locally-stored copy of the font, the only relevant MITM would be that which could have occurred during the initial download. It is trivial to verify (visually) that the specific MITM described by Tepples in his tweet did not occur, but I haven't put the effort into checking for subtler malicious activity.
The license is not the problem; it is the SIL Open Font License. --Eighty5cacao (talk) 18:49, 30 December 2017 (UTC)