Both communication ends (HTTP and socket from the agent) must have an option to use the secured communication. This way we would disable network sniffing that might contain sensitive user data.
The best option would be if user does not have to do anything and agent and UI can figure out if they need to use secure connection or not. Alternatively:
On the UI add use secure connection option when adding repository
On the agent provide additional start-up parameter
Note that we still need to enable non-secure connections as default, so that people don't need to configure certificates, etc.