aaronpkit's true that without the https cert, indieauth.com *might* be MITM'd and the attacker could inject their own link on your home page. but that's a pretty far stretch because it requires MITM'ing the connection between indieauth.com and your server.
