Kurt Seifried of the Red Hat Security Response Team reports: There are a number of programs and scripts in Docker that download content via HTTP and then execute the content or use it in other unsafe ways (e.g. signing keys used to further verify content that is downloaded and executed).
I can't speak for the build process etc. but monitoring 1.5 on the network I no longer detect any http traffic when issuing a docker pull. Anything else (e.g. bad Dockerfile hygeine) is a separate issue.