Requiring updates to be served from SSL-sites has numerous drawbacks, for example it requires you to have a server on a separate IP-adress, which costs extra for many using shared hosting.
I agree that signing updates is a better approach, but it is not necessary to have a separate IP to run both an SSL and non-SSL web server on the same host, since they can (and usually do) use different ports - 80 for HTTP and 443 for HTTPS by default. Using Apache IP-based virtual hosts you can even have both in the same instance.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds