Hello dear Canonical team,
the offered Thunderbird snap uses only HTTPS to secure the download of Thunderbird itself and its language packs. At least I found this snapcraft.yaml proving it:
Due to recent attacks against HTTPS by changing network routes and creating new trusted certificates for official domains [1], HTTPS alone is not trustworthy anymore. Could you please integrate a check of the SHA512SUMS (an additional GPG check would be the best of course but is maybe not so easy to implement) after downloading Thunderbird itself and all the language packs? The same is already done for the Chromium snap as far as I could see.
Thank you very much!
[1] https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600