After years serving their (free version) packages and key over plain HTTP from the domain nginx.ORG, nginx has finally setup a certificate for the .org domain. Using Let's Encrypt for that matter.<p>It's worth pointing out that serving the package/tarballl/rpm over HTTP wouldn't be a security issue by itself because the package's integrity could still be verified with nginx's key. However, the key itself has always only been available over plain HTTP as well, so checking the package's integrity was pretty pointless. http://nginx.org/en/linux_packages.html