Yeah I dont see it at this point, so fairly fast turnaround.

1) hack high profile website 2) wait for it to be posted on hackernews 3) restore the page to appear normal, but embed a browser exploit 4) ... 5) profit!

I've wondered this for quite a while but why isn't there a standard for browsers like <a href="bigassfile" checksumhref="checksumhrefforbigassfile" checksumalgo="shashamd19">Download with check</a> I mean no one ever checks them anyways so it's not like they're useful. The second step would to be to provide a reputable repo of software version -> checksum lookups so I didn't have to trust a given server for that. This is me thinking and drinking and I'd love comments.

Content-Security-Policy is doing something vaguely similar with <script> tags, where you add a nonce in the HTTP header and then only <script nonce='foo'> tags with those nonces are executed.

script-src at http://www.w3.org/TR/CSP11/

You run right back into if you don't already trust the signer of the checksum, you can't trust the checksum, either.

The next logical step is some kind of third party authority, and then you right right into the Certificate Authority problem set, including code signing licenses like Apple and Windows use.

Some F/OSS systems are starting to use similar systems, like the newer Python package distribution systems.

Yes I agree. See my more fully fleshed out statement parallel. But checksums are currently pointless from a secuirty standpoint.

Please see https://news.ycombinator.com/item?id=6978605 as my box was moving incredibly slowly when I wrote this. Laptops are not meant for data mining.