Of my first steps into the world of Linux this year, this sort of procedure has been one of the most glaringly disturbing. Another similar was packages being downloaded over HTTP.
Debian packages are signed, they are safe to transmit over http. See https://wiki.debian.org/SecureApt (which appears to have been written around the time of the transition, so it's out of date, e.g. SHA1 signatures are no longer trusted etc)