Why don't websites provide a checksum of their downloadable files?

You mention CCleaner, so it is relevant to link to Would a digital signature have prevented the CCleaner compromise? The short answer is that it would not have prevented this particular compromise.

This gives us our first problem with providing hashes: Who are we trusting to sign the build, and what are we trusting them to check? Does the signature simply represent the official build server, which could be compromised? Or does it represent an actual security audit by some pre-trusted party?

However, there are other attacks that such a hash would guard against - for instance, a compromised or fraudulent mirror offering a tampered build. In this case, it would be enough for the primary project page to publish a hash, which could be verified against the download offered by any mirror.

However, this leads us to the second problem, which is one of the hard problems of cryptography: key distribution (or, in this case, signature distribution).

For an unsigned hash, you are simply trusting the page that displays that hash not to have been tampered with. A signed hash at first sight seems better, but you still have to download the public key from somewhere, so you are still trusting the source of that key. If an attacker can direct a user to a fake download page, they can add a link to a public key of their choosing, and the user will get a false sense of security by verifying the hash of a compromised download.

The alternative is to have some central authority that you trust for multiple different applications - this is the principle behind Windows driver signing, Linux package managers, and phone app stores (and also behind the certificates used for HTTPS websites). Now you have a new problem: why do you trust those central authorities? Are they directly auditing the source code and build processes of the files you're downloading? Or are they delegating the trust, via a counter-signed certificate, based on some assurance from the party actually producing the software? Plus, you still need to acquire the root public key somehow - presumably it was included in some trusted installation media when you installed the OS / app store / package manager.

In the end, publishing a hash will be most useful for large projects, where:

  • the same user is likely to download and verify multiple versions, or different applications, with the same public key;
  • and, the source of the public key is likely to be different from the server offering the download (a different server, or some physical medium)

But even then, it cannot fix all exploits, as CCleaner demonstrated; and there is a danger in giving users a false sense of security.


Because most users won't check the hash anyway.

It would take a common download protocol that automates and enforces signature verification for this to actually make a dent in malware spread.

That still wouldn't be perfect - a hacked server could also post a different hash. Signing the software itself, as with Windows drivers, probably has more potential for making an impact. Both could be done as well.


I am seeing more hash (commonly md5) being shown on site related to linux. Mainly, when iso are provided.

You don't want to install an OS from a corrupted ISO, do you ?

You'll find the hash also of the Windows 10 ISO too, on the download page.

The hash is used here only to check the integrety of the downloaded file(s).

When you need to check that the file has not been tampered with, serious site, provide a GPG key signature that you need to check with a GPG key. For example, tails.boum.org does that.

Tags:

Hash

Integrity