Luckily, we don't use that js, we use:
http://twitter.com/javascripts/blogger.js
and I just checked the certificate behind this and it's valid (I should hope twitter's main cert is valid!):
https://twitter.com/javascripts/blogger.js
and we use the json API:
http://api.twitter.com/statuses/user_timeline/healpay.json?c...
which also happens to have a valid cert:
https://api.twitter.com/statuses/user_timeline/healpay.json?...
So it looks like we're in the clear for this at least :)