If the pattern files are being signed by a cert which is linked back to a trusted root cert, and they're using certificate pinning when checking, it shouldn't matter if the patterns aren't downloaded over a secure connection or not as the signing check should detect corruption or tampering. This would be best practice. Still they need to fix the endless download if the patterns fail to match the check/hash.
↧