That's not entirely true. Since i found how to poison my ISP's PeerApp "invisible" cache servers i started to check MD5 when downloading manually. It does cache big files but not small ones.
Here is the link for technical details if you are interested.
http://godlessmechanics.blogspot.com/2011/12/tale-of-sneaky-...
Idea: protocol- and package-format-independent verification of packages, with trust rooted in DNSSEC of the ultimate source domain using DANE.