Https for apt-get update, upgrade, dist-update, etc

Am I being overly paranoid regarding the infection of system updates via a malicious Tor exit node? This happened to Windows binaries.

How difficult would it be to encrypt the transmission of system updates? Are there Debian or third party servers that allow this?

Debian updates:
Malicious Tor exit relays or their ISP’s are unable to do anything unless they got a vulnerability in apt-get or gnupg. This is because all the repository is signed and apt-get notices signature verification errors. It passes the TUF threat model.
More info:

“Easy.” (Difficulty: **** of ********** as per scale: Frequently Asked Questions - Whonix ™ FAQ)
Might be useful for security in depth. I am not aware of any free public apt update servers. There is Debian -- Error and in jessie also Debian -- Error. What’s missing is someone doing the administration effort and sponsoring update server(s).