My freshman intro to engineering computing class has ~500 freshman download PuTTY from the non-https site every year. I'll email the instructor this article - is the problem that it could be infected, or is it known to be infected with undesirable software? Quality of PuTTY aside, could someone just host the most common download on an https site?
There are version(s?) floating around that are infected.
Not (normally) on the source site - but there's no guarantee that someone doesn't MITM you and inject something.
Someone could host the download on an https site, and yes, it'd be an improvement, but that just moves who to trust to the site owner (and everyone on the certificate/hosting chain for the site).