It actually points to https://cryptostorm.nu
, but even then it's not as secure as we'd like it to be.
So in v3 we've addressed the issue by storing setup.exe (now called cryptostorm_setup.exe) on every node, and it's only accessible from an internal HTTP server that requires you to be on the VPN.
That way any further updates can be automatically downloaded only via the VPN tunnel, and since the node stores the files no sort of MiTM is possible.
To account for the unlikely event that a node is compromised, the v3 widget comes with a public key that will be used to verify the sha512 file integrity hash that's going to be downloaded along with any updates.