[alpb]

Little bit off-topic but:

> respects freedoms and privacy of its users

It downloads the binary over http on http://ring.cx, makes it susceptible to tampering. Is serving binaries over HTTP a GNU thing because the expectation is that you would check the signature?

[brute]

Care to elaborate? http://ring.cx has a 301 forward to https://ring.cx, and all the downloads seem to use https as well. Where is it using plain http? Or was the forward added in the last hour?

[teraflop]

The links on the "Downloads" page are HTTPS, but the download button on the home page points to http://gpl.savoirfairelinux.net/ring-download/windows/ring-w... with no security.

[brute]

Thank you, that explains it. For me, the same button links to https://ring.cx/en/download/gnu-linux but under windows you are right.

[alphapapa]

Couldn't a MitM attack skip the redirect?

[strcat]

Sure, although not in mainstream browsers if there's HSTS + HSTS preloading, which can be easily adopted by any site. Outside browsers, HSTS is usually not supported. It was actually implemented by wget, but without preloading, so it only works after first use which is much less useful.