[ericfrederich]

I always found that fascinating myself, serving the download and checksum from the same source.

Doesn't http have enough redundancy checks built in to make this pointless? The only time to really do a checksum isn't on a browser download, it's when you push it over some serial connection, or android adb or something else.

[sjbase]

I suppose the "Here's the MD5 for your download" concept is useful if the file is being served from a different host than the website itself. Someone could tamper with the file server, but may not have access to the HTML rendering a link to that file server.

But you're right about serving the data & checksum from the same source. I don't see what extra layer of security or integrity it adds. Someone tampering with server file system, or the data transfer (MitM) inherently has the access they need to inject their own MD5 into the HTML.

[simias]

It's useful if you have already downloaded the file from somewhere else and want to check if it's the right one without downloading everything from scratch.

Furthermore it's very much possible to get corrupt data over HTTP if you have a poor connection and download a big file.

If you want a really secure "checksum" you best bet is probably a GPG signature file from a wildly distributed and trusted key.