Is verifying ISOs downloaded from the official website worthwhile?
Yes it's worthwhile.
It takes only seconds to md5sum/etc a downloaded ISO, and it provides reassurance you weren't attacked by MITM etc. Beyond that, those seconds are insurance for the [hours of] time wasted if you had a few bit errors and debugging necessary chasing errors no-one else gets because of your download (eg. you have network issues & so try to debug; but networking is stuffed because that's what the few bits wrong were...) Think of checksum-checks as very cheap insurance.
The software needed to md5sum something will be from another source usually (an older version, even different os/distro on occasion), is very small and is already present for many/most of us.
Further it allows me to download from a local mirror, but because I grab the md5sum from the Canonical source; I've insurance that the mirror didn't play with it. Again very cheap insurance that costs me ~3secs of time.
Yes, it is VERY RECOMMENDED that you verify the image you downloaded, here are some reasons:
- Just takes a few seconds and can tell you if the integrity of the file is correct, I mean, the file is not corrupted. (A common cause of corruption is a transfer error because of technical reasons such as a flaky internet connection from @sudodus comment.)
- If the file is corrupted and you burn this ISO image into a CD/USB drive, and it won't work, or during an installation could fail, this results in a waste of time and CDs.
- You are sure that you're using the official CLEAN version of any kind of ISO image or software and not a modified version (maybe by attackers), see this report: Watch Dogs pirates hit by scurvy Bitcoin-mining malware
If you already have a GNU Linux distro, you can use md5sum, if you're in Windows you can use: WinMD5Free.
Hope it helps.
Check your /proc/net/dev
and see how many bad TCP frames you have received so far. If you see a single-digit value (hopefully a zero), read on. If you have lots or network errors, then by all means use MD5 to verify your downloads (though I would rather investigate the root cause, since unreliable network means you can't trust anything you receive via HTTP).
When you're downloading over TCP which checksums all transmitted data, there's very little chance of having a corrupt download with exactly the same size. If you're confident you're downloading from the official site (you normally are if you're using HTTPS and the certificate check passes), verifying that your download is complete is normally enough. Decent web browsers usually do the check for you anyway, saying something along the lines of "download failed" if they don't get the amount of data they expect, though I have seen browsers which just decide to keep the incomplete file without saying anything to the user, in which case you could check the file size manually.
Of course, verifying a checksum still has its value, covering you in cases where the file you're downloading is corrupt on the server, but that doesn't happen too often. Still, if you're going to use your download for something important, that's a step worth taking.
As @sudodus said in the comments, using Bittorrent instead of HTTPS is another option, since torrent clients do a much better job when dealing with incomplete/corrupt data as web browsers do.
Note that checksums don't really prevent you from being attacked, that's what HTTPS is for.