Sometimes the checksums are provided securely, but the download is not. Since MD5 is broken, the security MD5 checksums provide are weaker than more secure checksums, but before MD5 was broken, a securely provided MD5 (e.g. one that was signed with PGP or GPG or Gatekeeper, or fetched over HTTPS) that matched the MD5 of the download was strong evidence that the download received was the one the server was making available.
I have been writing about the lamentable lack of secure checksums for years, here.
Users shouldn't download untrusted executables over untrusted networks and run them, because of the risk of MITM attacks.
See, e.g. "Insecurities within automatic update systems" by P. Ruissen, R. Vloothuis.
2014 Addendum: No, it's NOT wrong "that checksums posted on web pages are used to detect malicious modifications," because this IS a role they can perform. They do help protect against accidental corruption, and if served over HTTPS or with a verified signature (or better yet, both) help protect against malicious corruption! I have obtained checksums over HTTPS and verified that they matched HTTP downloads many times.
Nowadays, binaries are often distributed with signed, automatically verified hashes, yet even this is not perfectly secure.
Excerpt from above link: "The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection." ... "Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.
Technical Analysis
The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer. In the code signing information, we found that these installers were generated and signed on the morning of March 4."
2016 Addenda:
@Cornstalks: Re. your comment below: Wrong. As currently noted at the collision attack Wikipedia article you link to, "In 2007, a chosen-prefix collision attack was found against MD5" and "the attacker can choose two arbitrarily different documents, and then append different calculated values that result in the whole documents having an equal hash value." Thus, even if the MD5 is provided securely and an attacker can't modify it, an attacker still CAN use a chosen-prefix collision attack with a chosen-prefix containing malware, which means MD5 is NOT secure for crypto purposes. This is largely why US-CERT said MD5 "should be considered cryptographically broken and unsuitable for further use."
A couple more things: CRC32 is a checksum. MD5, SHA, etc. are more than checksums; they're intended to be secure hashes. That means they're supposed to be very resistant to collision attacks. Unlike a checksum, a securely communicated secure hash protects against a man-in-the-middle (MITM) attack where the MITM is between the server and the user. It doesn't protect against an attack where the server itself is compromised. To protect against that, people typically rely on something like PGP, GPG, Gatekeeper, etc.
Why would a file need to be the same size after it's been altered? I'm saying a file could be changed, a new hash generated for the malicious version... then the hash posted on the website could be replaced with the new one by the malicious entity. – Austin ''Danger'' Powers – 2014-12-08T07:40:12.243
1Most download sites give the file size and often the creation date. I suppose those could also be altered on the web site. However, wouldn't the web site owner detect all of the hacking to the site? – fixer1234 – 2014-12-08T07:44:22.303
3If we are relying on the website host noticing subtle timestamp discrepancies instead of the MD5 hash acting as a seal of authenticity... then the protection provided by the checksum has pretty much evaporated. – Austin ''Danger'' Powers – 2014-12-08T07:45:43.367
1I'm referring to things like logs of site access rather than noticing subtle content change, although the web page could have its own hash known to the site owner. – fixer1234 – 2014-12-08T07:48:34.117
1The point is that people accessing the site have no way of knowing how proactive the website host is in checking those logs. The MD5 checksum is supposed to provide a way for people to check the integrity of their own downloads, without relying on the actions of any other parties. – Austin ''Danger'' Powers – 2014-12-08T07:49:53.363
1MD5 doesn't generate against file contents so there will never be a way of checking file integrity - apart from corruption, but this often results in a different file size so the hash will be different. If a malicious file has a valid hash then there'll be no way of telling at this stage. – Kinnectus – 2014-12-08T07:51:51.850
SHA supposedly replaces MD5 because it is harder to produce the same hash from a modified file. However, it makes no difference for the scenario you raise. – fixer1234 – 2014-12-08T07:57:27.527
4@BigChris I'm not sure what you mean, but it sounds wrong. Cryptographic hash algorithms like MD5 are completely about the message data. Two random messages of the same length will almost certainly have different hashes. – Matt Nordhoff – 2014-12-08T09:58:15.343
3@MattNordhoff exactly. If an MD5 checksum isn't generated based on file data, then what is it based on? – Austin ''Danger'' Powers – 2014-12-08T10:05:01.290
2
MD5 hash data would be constructed on the data, yes, but it wouldn't take too much effort to create a malicious file with the same hash. As said, there would be no way of checking if the file was malicious or not. Read: http://www.mscs.dal.ca/~selinger/md5collision/
– Kinnectus – 2014-12-08T14:52:25.493@MattNordhoff Where "almost certainly" = 2^(n/2) where n is the number of bits in the output hash value. Birthday attacks.
– a CVn – 2014-12-09T08:18:29.8732Sometimes hashes are published on first-party server whereas actual downloads are hosted on third-party mirrors and/or CDNs. – el.pescado – 2014-12-09T10:23:55.247
It's said that encryption is all about leverage -- instead of hiding the entire file, you can just hide a tiny key. Cryptographic hashing is the same way -- instead of verifying the entire file, you can just verify a tiny key. – that other guy – 2014-12-10T03:03:35.280