If you aren't connecting to a site through SSL, as dotgoat says, it's entirely possible for all the data you receive and see in your web browser to be tampered with. I think he downplays the risk though -- without SSL, it's trivially easy to do: it would take all of 15 minutes for someone to write a script that selectively replaced downloads with malicious installers that included the original download link's data so that you'd never even notice.Well, 15 minutes may be an understatement... more like an hour or two I suppose. Not including the malicious addition to your download, of course. Also, the Tor browser automatically uses SSL if it's available -- but whether it's available at a given site for a given program I can't comment on.