[stuckindider]

What you linked isn't talking about the entire site. It literally says that the signature page is secure. But they don't mention the entire site being secure. I wonder why...

Here it is 3.5 years ago being hosted over http and not redirecting to https. It looks like they changed in 2018.

https://web.archive.org/web/20170907194943/http://keepass.in...

[mywittyname]

The "security issue" you're talking about was that the URL used to determine if there is a new version available was HTTP-only. People felt like this was a security concern because it was susceptible to a MitM attack. The author felt like this was a none-issue because Keepass did not self-update at all, the URL was only used to inform the user of a new version. So a successful MitM attack would merely inform the user of a new version.

New version of the software were served via mirrors and digital signatures for all versions were made available. Standard security practice for the era was to verify the digital signatures of software before installing it because so much software was served by third parties.

Also, this all happened before HTTPS was ubiquitous (the patch to force version checks to use HTTPS came in 2016). Most sites still served traffic over regular HTTP, with only logins and purchase pages using encryption.