Using videolan purely as representative example... Here are some keys... https://download.videolan.org/pub/keys/ https://keyserver.siccegge.de:11371/pks/lookup?search=0xE58D1ADC&fingerprint=on&hash=on&op=vindex Their main app is signed. But like most orgs, they still think unsigned '.md5 / .sha1' text files are somehow both unbroken crypto hashes, and unmolestable... https://download.videolan.org/pub/videolan/vlc/2.2.6/ Probably none of rest of their tree / libraries are signed... https://download.videolan.org/pub/videolan/ Probably also not signed is their repo init hash, or any subsequent tagged commits (btw, monotone.ca is a bit more integrated there)... https://git.videolan.org/ And depending on jurisdiction, even looking at these subjects over cleartext could be a privacy / legal / watchlist nightmare... https://download.videolan.org/pub/videolan/libdvdcss/1.4.0/ https://download.videolan.org/pub/videolan/libbluray/1.0.1/ https://download.videolan.org/pub/videolan/libaacs/0.9.0/ https://download.videolan.org/pub/videolan/libbdplus/0.1.2/ Any hacked consumer router / wifi / ISP / corp / gov can easily intercept / replace the 'tarball' '.asc' pair on the fly. HTTPS can help with that. But even CA's, letsencrypt.org, and browser cert store are subvertable. That's why TLS cert fingerprint pinning and cert observatories also exist. Then you've got ARP, IP and DNS MITM and BGP too, neither have really globally fully deployed 'SEC' versions yet. For cookies, there's domain validity and TLS horizon issues. And for binaries, there's reproducibility and chain of trust back to source. Then distribution channels and bitrot and hardware / software / service / human backdoors, exploits, and exploitation. That's the sad global state of affairs. It's easy to bury your head or be busy. While imperfect alone, default HTTPS / TLS is free and easy and helps negate and make things harder in depth, and pisses off some adversaries. It's part of the game till something better comes, just do it. To their credit (or Gandi as their possible hoster), this actually works, it's just not the enforced / exclusive default, which is a fairly easy switch to flip... https://www.videolan.org/ https://www.ssllabs.com/ssltest/analyze.html?d=www.videolan.org&s=88.191.250.2&latest They accept bitcoin... https://www.videolan.org/contribute.html Don't look here either... http://www.labdv.com/aacs/ http://forum.doom9.org/forumdisplay.php?f=9 Curiously, the end2end of onion / i2p / cjdns services bypass some of those issues, but few clearnet sites offer them.