[Touche]

Why, the only thing I see on the page that could be compromised is the mailto: link.

[r1ch]

Compromising a page doesn't necessarily have to alter existing content. It would be easy to add a "Download Preview Build" link pointing to a trojan, add links to a fake kickstarter, etc.

[giancarlostoro]

That sounds like altering existing content by adding new content btw.

[nitrogen]

Yes, a MITM can do that.

[jessaustin]

And could still do the exact same thing if they had TLS: get the page, add crap, and serve the result (albeit without TLS).

[3pt14159]

You know, I've never really realized that before. It's actually a pretty huge security hole for average users, no? There should be a way to explicitly forbid non-encrypted connections on a DNS level.

[lfowles]

That's roughly the purpose of HSTS, but you need to have visited the site at least once first (or in the case of popular sites, HSTS status of a site is shipped with the browser.)

[vacri]

A technical user could reasonably be expected to look for https before downloading 'preview build' or something equally payload-ey.

Then sigh and download PuTTY anyway...

[chinathrow]

It's information leakage at its finest.

[sp332]

HTTPS still leaks the domain name, so that wouldn't help too much. (Unless you meant some other information?)