Why are CentOS mirrors HTTP and not HTTPS?

Solution 1:

The packages are indeed signed, hence a manipulation would be noticed. Also the packages are not secret, so there is no need to encrypt them on the transfer.

With the mass of downloads from mirrors this probably saves them a lot of resources.

Same on Debian/Ubuntu

Solution 2:

From a technical perspective the fact plain http content can easily be cached by proxy servers can make quite a bit of difference when you need to manage and update more than a handful of systems.

Setting up local mirrors is often overkill and not practical but when your proxy server can serve updates from cache at LAN speeds, rather than every client in your network connecting to an online source ..,

Solution 3:

The packages are signed by an off-channel method (gpg keys stored on your system).

The main use of having HTTP is to make it easy to have a dependency proxy between the internet and your machines, which can save a lot of bandwidth and time by only having to download once (the first time) upgrades for potentially 1000s of (virtual) machines.

HTTPS prevents it (not completely, but makes it harder), because being end-to-end encrypted, you can't easily put something that'd intercept the downloaded packages to store them and serve them later.