I came across this when I was trying to generate salts and keys:
This feature is deprecated ! We highly recommend generating your own keys and salts instead of relying on a remote service to do this for you.
Although, I can generate one using the command on the salt page, but is this compulsory in the sense of generating it via my server. I am writing a tutorial, so, was looking for quick methods.
Disadvantages of remote generation is that the algorithm to generate is well known and also could be compromised in transit between generating it and you receiving it.
Which was the reason for this line “instead of relying on a remote service”, so, I think that answered my question.
The WordPress secret-key service is now https://api.wordpress.org/secret-key/1.1/salt/ so transmitting over plain http should, in theory, not be an issue…except that you can still access it using http. It doesn’t auto-redirect to https. Bizarre.
But it’s still best to leave CP to do the magic as by default, this is all done on your server. No internet involved.