It's slightly more of a nuisance for the attacker to modify the hash as well as the file, but if they can modify the .zip you get, then they'll surely have no trouble doing "s/the original zip's hash/their malicious zip's hash/" on all your unauthenticated web traffic too. It's a simpler modification than Upside-Down-Ternet.
In this case, they do need to create a compromised version of the zip before you view the hash, but that can be arranged with good probability by tracking the web pages you visit, pre-computing compromises of popular downloads, and/or slowing down your page load speed to give them enough time to compute and serve you compromised hashes. It wouldn't be too hard for an accomplished Web villain to have a good shot at compromising your computer if you are using public WiFi or they have ISP or NSA level access, provided you download software insecurely. ( My unfortunately ranty blog post on the matter: http://idupree.dreamwidth.org/3233.html )
HTTPS isn't perfect, but it (and/or other cryptographic signing) is the minimum we should accept for downloads of code that can quietly pwn your user account when you run 'make'.
It's slightly more of a nuisance for the attacker to modify the hash as well as the file, but if they can modify the .zip you get, then they'll surely have no trouble doing "s/the original zip's hash/their malicious zip's hash/" on all your unauthenticated web traffic too. It's a simpler modification than Upside-Down-Ternet.
In this case, they do need to create a compromised version of the zip before you view the hash, but that can be arranged with good probability by tracking the web pages you visit, pre-computing compromises of popular downloads, and/or slowing down your page load speed to give them enough time to compute and serve you compromised hashes. It wouldn't be too hard for an accomplished Web villain to have a good shot at compromising your computer if you are using public WiFi or they have ISP or NSA level access, provided you download software insecurely. ( My unfortunately ranty blog post on the matter: http://idupree.dreamwidth.org/3233.html )
HTTPS isn't perfect, but it (and/or other cryptographic signing) is the minimum we should accept for downloads of code that can quietly pwn your user account when you run 'make'.