Today the page gpg4win/download.html is served using standard HTTP connection, therefore there is no way of truely verifying that the binary downloaded & published info to verify it’s authenticity (SHA1 sig, OpenPGP sig ID) is valid.
This is obviously the same with the page gpg4win/package-integrity.html is not served using HTTPS so all the info present could be modified by MITM and point to a rogue OpenPGP sig ID.
In order for the information present on the website to be trustworthy it should probably be :
- Served over https using a decent ciphersuite (TLS 1.2, ECDHE+AES-GCM)
- Using at least a certificate pointing including the OpenPGP ID.
- Signed by a CA (I despise the CA Mafia as anybody else but so far it’s the best cross-platform option).
- Signed using Monkeysphere platform for pure OpenPGP validation.