It's nice that they've tried to improve by providing a GPG public key on their new page [0], however it links to a non-https page to download it: http://hosted.lifx.co/security/lifx_pgp_public.asc. I'm not sure they are actually taking this seriously.