I heard that the reason one uses hashes like MD5 or Sha1 on large files is because it is hard to tamper with a large file and get the same hash. My questions is something different:
On every webpage that links to a large file (example Debian iso etc), there is normally either a link to another page which has the hash, or is listed on the same page. What is to stop a hacker MITM attack from tampering with both the .iso image and inserting the new signature on the page ? If he has the capability of making a user download his ISO (instead of the original version), it should be relatively simple to get the same user to download a modified webpage with the hash right ?
Is it a deterrent simply because a hash is so much smaller someone would notice the change on a page ?
If the hash is listed on a page that is available via https, then the certificate of the page is supposed to guarantee the authenticity of the hash you are downloading. Doing a MITM attack on https is supposed to be the hard part. If you download the hash via http, then you are correct that the MITM attack would work.
Some distro's produce a cryptographically signed hash of the ISO, and you're supposed to have their public key to verify that.
OpenBSD doesn't rely upon https...it does something different - https://www.openbsd.org/papers/bsdcan-signify.html