Here's some output from a push:
Notice that the 's' was dropped from 'https' at the start. hg asks for my password and the push succeeds.
I didn't try sniffing, but does this mean my password was sent in the clear?
Two bugs here: one is mercurial's -- it shouldn't switch from ssl to non-ssl when sending a password without complaining loudly. The other is bitbucket's -- need to be careful not to drop the https protocol when redirecting.