What's to stop someone from just MITMing a checksum?

A lot of sites offer MD5 or SHA sums to verify the validity of your download, but why do some things rely almost entirely on this?

Is there anything in place to prevent people from just replacing the checksum with the malicious binary's checksum?