This is regarding dotpdn.com. At a minimum, this page http://www.dotpdn.com/downloads/pdn.html and the zip file should be served over HTTPS.
Inside the zip, the installer exe is signed by a "verified publisher", which is reassuring. But it's possible for an attacker to serve me a different zip file. Some users will run an exe that isn't signed by a verified publisher. Those users will get owned.
If we use https://letsencrypt.org/ then the only cost is developer time.
What does the dotpdn.com stack look like? I may be able to give configuration advice.
