I see, we're supposed to trust this bunch who offer no http services but only https via a certificate which is not valid for their domain, are we? They take security really, really seriously, do they? How, exactly? Doesn't that seem a tiny bit feeble? Some of the commenters here are praising this site but what I can see of it is not at all reassuring...
What the hell are you talking about? That's a valid cert issued by a reputable CA for *.boum.org, and is therefore valid for tails.boum.org:
Certification path for "*.boum.org"
Subject: OU=Domain Control Validated,OU=Gandi Standard Wildcard SSL,CN=*.boum.org
Issuer: C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA
Validity: from 2013.01.03 00:00:00 UTC to 2015.01.03 23:59:59 UTC
Further, why the hell would you prefer HTTP for any reason? What security advantages does HTTP have over HTTPS via wrong and/or expired cert? No matter how illegitimate certificate may appear, I'll take it over transferring plaintext.