It seems I forgot to forward this when it blew my mind the first time. If you still need a reason to not download binaries from http:// URLs , this is it:

The Case of the Modified Binaries http://www.leviathansecurity.com/blog/the-case-of-the-modified- binaries/

While SourceForge is another story, they are an example of a website offering binaries through plain http://, e.g. http://downloads.sourceforge.net/project/filezilla/FileZilla_Client/3.13.0/FileZilla_3.13.0_win32-setup.exe. Oh my.