If the website providing a download isn't secure, doesn't that mean the ISP can cache an evil FBI version of truecrypt? With the use of subpoenaed proxy caching? How do you know you are getting a real version? Couldn't some corrupt powerful agency force your ISP to cache an evil version, or force them to intercept anybody's legitimate traffic, and replace it with a bad version (with a backdoor installed)? I use truecrypt for all my personal backups, financial documents, and school documents, and I don't want an insecure version "protecting" them. - Truecrypt doesn't use SSL, or any web encryption. How can we know that the download we are receiving doesn't have any backdoors (RIAA backdoors, MPAA backdoors, third-world-government backdoors, etc?) - They offer a .sig PGP verification, but I don't know how to use this... Am I missing something?