Uh, in case you didn't notice, those SHA checksums are also PGP signed.
I Googled Mozilla Thunderbird and the first hit was the download page, using HTTPS. You're right SSL isn't enforced, but that's a chicken and egg problem for Firefox downloads I guess, now that TLS 1.2 is enforced and the user may be stuck with a browser not supporting that.
In case you didn't read, yes I said they were GPG signed. But they don't make that info available (or linked) on the main download page, you have to google to find it.
SSL 3 is still fine for protecting integrity, just not confidentiality, so it is okay for downloads.
I Googled Mozilla Thunderbird and the first hit was the download page, using HTTPS. You're right SSL isn't enforced, but that's a chicken and egg problem for Firefox downloads I guess, now that TLS 1.2 is enforced and the user may be stuck with a browser not supporting that.