Describe the bug

For now, fetchurl not check certificate and can make malicious redirects.
Like I faced just now, when nix tried to download package source from URL blocked in my country, and there are fully accessible second one.

More details in NixOS/nixpkgs#152281

Steps To Reproduce
Known for me:

1. Move to Russia(?), or launch VPN to Russia, or create some DNS rule(?)
2. Try to install nixpkgs.tor-browser-bundle-bin

Expected behavior

Nix find out certificate replacement and try to download from next available src source.

nix-env --version output

$ nix-env --version
nix-env (Nix) 2.4
$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.3-zen1, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4`
 - channels(root): `"nixos-21.11.334797.6979c0e49bb, nixos-unstable-22.05pre340469.cb372c3b888"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos

Additional context
Possibly related #4173