Where to download OpenBSD release ISO's over HTTPS?
There is a file called SHA256
which contains the checksums. Technically you only need that file to be transmitted securely; you could get the ISO through any mean, and just verify the checksum. This would be as good as getting the whole file through HTTPS.
The OpenBSD people do not seem to maintain a public HTTPS web site with a copy of the SHA256
file. Also, HTTPS is as secure as the X.509 PKI model allows for, and OpenBSD folks seem to be somewhat queasy with regards to X.509 and the preinstalled CA in Web browsers (which is quite understandable); they seem to prefer the OpenPGP model. I think that in older days, the announcement for a new OpenBSD release was a PGP-signed email (sent to various places, including Usenet), which contained the digest for the main ISO -- thus realizing full ISO integrity relatively to a PGP public key. But I am not sure they are still doing that.
Otherwise you can order a physical, tangible CD set (or DVD). They are not expensive.
First of all, OpenBSD is really just on a server in Canada, where the development takes place, through CVS. People replicate the tree by connecting using SSH there etc. When releases are made, isos are created and mirrors replicate them. I imagine they get the files using a secure way, but can't know for sure. Then you have a list of mirrors to download from.
I checked and one of the mirrors supports HTTPS (it is a server located at the Electrical Engineering department of VirginiaTech university)
https://mirror.ece.vt.edu/pub/OpenBSD/4.9/
HTTPS is not really needed for downloading the ISOs. In each directory, in all mirrors, there is a file called SHA256 which contains the SHA256 checksum of each file in the directory. This is the one file you should really get in a secure manner - the files will get verified against that later. Since there are multiple mirrors, if one is compromised, you can check the checksum file on another mirror.
I agree, they should make available a way to securely authenticate the iso's.
They should provide an authenticated mechanism (to https://www.openbsd.org) to retrieve the sha hashes instead of leaving the hashes sitting beside the just-as-easily-compromised iso file.
But in the absence of that you can, download, wait and verify that there isn't a security stink before using the relevant iso. Checking the sha's are the same on all mirrored sites. I would think that 1 week would be enough.
(I see @thomas Pornin has just said most of what I said above)