The difference is that the BitTorrent protocol has a mechanism to verify that you have received what you want to receive, unlike HTTP.
HTTP has no mechanism to verify that you are actually connected to the server to which you want to connect. In theory, if circumstances permit, HTTP is susceptible to a man-in-the-middle attack. This means that, from your side, it looks like you're connected to example.com, but in reality you're connected to a third party that intercepts traffic, manipulates network traffic and just gives the impression that you are connected to example.com. You then ask to download a certain file, but the man (or woman) in the center sends you a malicious file. (On one side, HTTPS correctly configured, with
S, prevents this.)
A file transmitted via BitTorrent is first divided into pieces. Each of these pieces is then chopped using SHA-1, that is, a checksum is generated by the creator of the torrent. Hashes are assigned to each BitTorrent client before the download – usually contained in a file.
.torrent file. As the file pieces are then downloaded by the client, they are first hashed by the client itself, and then compared to the previously received hash. It is accepted only if the hash matches, which means that the block contains exactly the same bytes as the expected block. It is virtually impossible to make altered pieces with malicious content, but keeping their original hash.
Since these hashes are shared with you before the download, probably from a trusted source, it is harder (if not impossible) to handle the expected file or files in transit when they are received via BitTorrent compared to an HTTP download.
If your hash or torrent files are handled before the download, the checksum validation does not provide any security.