Is there any reason to verify a download checksum over HTTPS
I wouldn't think HTTPS would catch either of those. AFAIK HTTPS offers no additional protection from corruption over TCP.
I'm no security expert, but I know that TLS (HTTPS) does these 2 things:
- Verifies that the server you are connecting to is actually who they say they are.
For example if you type in https://microsoft.com and your traffic gets sent to https://badguys.com instead without your knowledge (DNS spoofing), you'll get a certificate error. Sure the bad guys could create a fake certificate on https://badguys.com that claims to be https://microsoft.com, but it won't be signed by a valid certificate authority. - Encrypts the traffic so that it cannot be read/altered by a Man-in-the-middle attack (MITM). In this scenario, someone can see all your network traffic. If you weren't using TLS they could detect a
GET
request and start sending you fake data, in place of the real data from the web server.
Back on the topic of downloads, many sites distribute their large downloads to mirrors. If the mirror is compromised, the file can be replaced with a malicious version. Even if the mirror uses TLS, if it was hacked or wrongfully added to the mirror list, you can be downloading a malicious version from a HTTPS site. And of course if this happens, they will update the checksum on the mirror.
This is why you should never verify a download against a checksum from a mirror, only use the checksum from the original site (as per this question).