Kurt Seifried of the Red Hat Security Response Team reports:
There are a number of programs and scripts in Docker that download content via
HTTP and then execute the content or use it in other unsafe ways (e.g. signing
keys used to further verify content that is downloaded and executed).
I can't speak for the build process etc. but monitoring 1.5 on the network I no longer detect any http traffic when issuing a docker pull. Anything else (e.g. bad Dockerfile hygeine) is a separate issue.