I know Micah Lee has been making the case for HTTPS connections for some time. Why can't Debian make this happen? This bug makes clear that relying on validating signatures is not foolproof 100% of the time and that additional layers of protection should be in place to try to mitigate weaknesses (even temporary ones).
What with Let's Encrypt now active, there is no excuse to not move everything to HTTPS for updating. https://www.debian.org/security/2016/dsa-3733
