VLC Update occurs over HTTP

It appears that VLC's updating mechanism downloads a new VLC executable over HTTP (ie, in clear-text).

This leaves users vulnerable to man in the middle binary replacement attacks.

This issue is described simply here: https://firstlook.org/theintercept/2014/08/15/cat-video-hack/

And more technically here: https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/

Please modify the update mechanism to happen over TLS (preferably with Forward Secrecy enabled)

Thanks so much!

-Morgan