I'd wager that a large number of the system integrators, firmware engineers and random developers scattered throughout the production chains of most of the hardware and some of the software that you're currently using have run completely untested code in scenarios orders of magnitude more hair-raising than this.
The same is probably equivalently applicable to the hardware that was used to compile the compiler that compiled the compiler that compiled the compiler that
you're using.
While it's theoretically possible that a hostile party could modify the package in-transit over HTTP/TCP, it seems far more likely that the hacked package would be placed on the "legit-looking" webserver (by hacking the webserver). In this case, looking to the SSL transport layer as any kind of credibility enhancement to the unsigned binary is worse than ignoring it.
Therefore, an unsigned binary is an unsigned binary, no matter the transport mechanism. I agree that distributing unsigned binaries is poor security practice, but I also think that it is dangerous to think that the transport of an unsigned binary over an SSL connection gives it any credibility.
So.. you haven't heard of automated MITM executable-patching (infecting) solutions? I believe I read about them a couple of years ago.
Once implemented, it's much easier than hacking servers and more convenient to do targeted, semi-targeted, local network/cafe script-kiddie attacks, without it being easily detected. Unfortunately for attackers, these days people don't download and run unverified executables as often, especially over http, so you may need lots of patience if you want do infect a specific person.
I would really love some data (or good reasoning) on how server attacks are overwhelmingly more likely, so much so that the false security impression increases risk.
MITM executable patching attacks are not theoretical. AFAIU, the first hit on "mitm executable infection" [1] and an interceptor (ARP/wifi/whatever) is all a script kiddie needs.
To me, the fact that the server being exploited to deliver bad binaries is a possibility is reason enough to be cautious, and to therefore not regard them with any more credibility than if they were delivered over unencrypted http.
My question was in relation to a unsigned executable on an unencrypted http site, as the OP site loads by default. Would you download and run one?