Please add HTTPS support to the download page of electrum. (download.electrum.org)
Or just only for the PGP signature of the downloads and the developers.
+1
Good idea. All software should be downloaded with https or at least have PGP signatures. All devs should subscribe to Security Now (Podcast).
A bit problematic though, arguably a man in the middle, MIM, attacker could give a false public PGP key. The devs public keys should be distributed over https. There is also an issue in switching from http to https.
[quote SecurityNow Episode 403]
The problem is that they're initially able to make a connection that is not secure, and a man in the middle could, and we've talked about this before, could arrange to strip off the HTTPS outbound query, changing it to HTTP in order to still try to make the service usable.
[/quote]
So a MIM attacker that sees index.html over http could change the https links to http. So, instead of downloading the PGP key over https it will come down over http which could actually be any key the attacker wants to substitute, such as one he creates himself. This holds for signatures too as well as the binaries and that could be modified to be a trojan horse.
sdp