You are incorrect in your analysis that the described attack of replacing both a TrueCrypt application file, and MD5 hashes used to verify that file, is difficult to perform due to a timing issue. This attack is trivial to perform and does not require any advanced security skills beyond that which a penetration tester or an information security consultant would posses.
The recommendation I made to put app signatures on a separate host refers to the MD5 hash of the TrueCrypt application file (the EXE file). This MD5 hash acts as a signature, and is made available so that a user can compare a hash of a downloaded application to ensure the file has downloaded properly and has not been modified, or otherwise corrupted.
When an attacker can control a user's network traffic, this is known as a man in the middle (MITM) attack. Under these conditions, it is trivial for an attacker to replace both the TrueCrypt application file, and the MD5 hashes file, at the same time, in the same way, for the same user.
Fundamentally, if someone else controls your internet, and you are downloading something over an unencrypted link, then you can't trust that it hasn't been modified, whether it's an application, or a hash used to verify the authenticity of an application.
I recommend hosting hashes on a separate host, with a certificate signed by a separate certificate authority. This is in response to the unlikely risk that an attacker may have obtained to the TrueCrypt website's private key, or the TrueCrypt website's certificate authority's private key, and is able to perform this attack despite the usage of encryption and certificates. In this scenario, the difficulty of an attack succeeding is reduced by requiring that the attacker obtain two keys instead of one. This is in accordance with the principal of defence in depth, but it offers a minor level of protection as almost all users will not verify the hash values. However note that people's lives depend on this software, and as such they would do well to follow best practices.