The download page randomly picks a mirror, so chances are you get an insecure connection. And the signature won't do much good if it's http or ftp too. For Linux it may work, but for Windows it doesn't.
The signature works fine over HTTP/FTP because it needs to be combined with a public key you already have (e.g. a distro package manager will already have the public key for all the packages), or a public key you will go get from a different source, e.g. https://sks-keyservers.net, and it's hard for a middle-man to compromise both.
