Thanks for your reply.
This is both true and meaningless. I can't spoof your cert *and* have the trust chain check out unless I've directly copied it (including your public key). And if I've directly copied it, I can't use it to immitate you, because I don't have your private key. You seem to have a fundamental misunderstanding of how x509 certs work and I don't seem to be able to help you there, so maybe you can attempt the attack on your bank yourself sometime.
If you have a theoretical MITM on TLS using a Gateway, I'd love to hear about it. The one recent example of this involved first installing a malcious CA on the client machine. In other words, the client (or OEM) installed the vulnerability themselves. It's not something that can be done to just anyone.
Non-sequitur. Just because this guy
exists, doesn't mean that the rest of us should have to download code that we're going to execute over an untrusted connection.
Some people can't read an URL, that's true. Chrome does a much better job there than the other browsers at helping the user. But the demographic that are installing forge themselves likely can.
I didn't ask you to do anything about other modders. I asked you how we can get the official Forge download to be secure. THIS page:
http://files.minecraftforge.net/
I understand you don't control the content provider (ad.fly), which is why I suggested file hashes, but that is less than ideal.
The best you could do is HTTPS*, and it's just not that hard.
I'm not entirely sure why I'm the first to bring this up to you - I suppose other technical users are just using github.