Hi Tuan,
Just a suggestion...
I notice that if a user has SSL enabled on the Event Booking settings a user can still get around it by dropping the HTTPs part of the URL when it comes to the Registration/Billing page, leaving personal information vulnerable.
Can I suggest that you add the code below to the following pages:
/register/tmpl/default.php
/register/tmpl/group.php
/register/tmpl/group_billing.php
This will force users on the registration / billing page to use SSL, even if they don't come through the proper registration funnel.
View code on StackOverflow:
stackoverflow.com/a/85867
EDIT: Sucuri wont allow me up embed the code. 
