I noticed last year that ubuntu.com - despite being the source from which most people download Ubuntu .isos - has no HTTPS capability and doesn't offer any checksums or gpg signatures on their download page. I believe you can find gpg signatures if you scratch around on their ftp server, but it is ridiculous to assume users will do this (especially when Ubuntu is trying to be a user-friendly distro).
Anyway, as a result I ended up emailing their webmaster asking why Ubuntu.com has no SSL cert. and I haven't heard anything back yet. I think it is pretty poor that a company like Canonical can have such a flagrant disregard for basic security practices, especially when it likes to market Ubuntu as a 'secure' OS.
If you are running Ubuntu then you already have signing key (run apt-key list), otherwise you can compare the full fingerprint with the one printed in terminal output in the guide that's hosted on https.
Anyway, as a result I ended up emailing their webmaster asking why Ubuntu.com has no SSL cert. and I haven't heard anything back yet. I think it is pretty poor that a company like Canonical can have such a flagrant disregard for basic security practices, especially when it likes to market Ubuntu as a 'secure' OS.