A study on the use of checksums for integrity verification of web downloads

Meylan, Alexandre (Kudelski Security, Switzerland) ; Cherubini, Mauro (University of Lausanne (UNIL), Lausanne, Switzerland) ; Chapuis, Bertil (School of Management and Engineering Vaud, HES-SO // University of Applied Sciences Western Switzerland) ; Humbert, Mathias (armasuisse S+T, Switzerland) ; Bilogrevic, Igor (Google Inc., Switzerland) ; Huguenin, Kévin (University of Lausanne (UNIL), Lausanne, Switzerland)

App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file’s integrity verification code—the checksum—matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such a process is effective. Even worse, very few usability studies about it exist. In this article, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month-long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution—a Chrome extension that verifies checksums automatically—significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers, and content creators to increase the use of file integrity verification on their properties.

Article Type:
Ingénierie et Architecture
IICT - Institut des Technologies de l'Information et de la Communication
36 p.
Published in:
ACM Transactions on Privacy and Security
Numeration (vol. no.):
2020, article no. 4
Appears in Collection:

 Record created 2021-02-23, last modified 2021-02-25

Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)