10

More than often next to the download button of a file there is a variety of checksums.

When I download a file what security risks am I exposed to if I don't check for its integrity?

Mini Fridge
  • 217
  • 1
  • 8
  • 2
    Does this answer your question? [Does hashing a file from an unsigned website give a false sense of security?](https://security.stackexchange.com/questions/1687/does-hashing-a-file-from-an-unsigned-website-give-a-false-sense-of-security) – Dan Dascalescu Aug 24 '20 at 04:11

3 Answers3

18

When I download a file what security risks am I exposed to if I don't check for its integrity?

If the checksums are published on the same server which also hosts the downloads then there is not much security risks of not checking. If an attacker would be able to manipulate the downloads (s)he would probably be able to manipulate the checksums too. So the main problem is that you might not detect that the download is corrupted.

It is another case if the checksum are provided on different server than the downloads. If the checksums are served by a well protected server and are served through https, than it does not matter much if the downloaded files itself are hosted on more problematic sites and without http, at least as long as each user verified that the downloaded file matches the published checksums. Thus in this case it would be a larger security risk to not validating the checksums.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 2
    I would love to see browsers automatically detect checksums on a page and validate the download for you. Unfortunately, this problem is harder to solve than it appears; just because it's obvious to a human which checksum goes with which download does not mean it's easy to parse, leading to a lot of weird edge-cases and to the possibility of the browser accidentally blocking a perfectly good download. – Mike Ounsworth Dec 10 '15 at 23:06
  • 9
    @MikeOunsworth Interesting idea. I suspect if there was real demand we could modify the html spec to permit it. Perhaps add a checksum attribute to the `` tag or something. Where the value check something would include the hash type, and hash value. So something like `link` – Zoredache Dec 10 '15 at 23:12
  • Usually the hashes are signed with GPG. So if you have the corresponding public key you can verify the file with hashes and then use the hash to verify the download. – kasperd Dec 11 '15 at 00:23
  • 2
    @Zoredache [RFC 3230](https://tools.ietf.org/html/rfc3230) already did that through custom header. – Martheen Dec 11 '15 at 03:44
  • Hosting on third party servers occurs more often than one might think. For example, github release assets appear to hosted on their own github.com servers. But actually, they're a 302 redirect to aws S3. – wisbucky Sep 18 '19 at 21:12
  • @Zoredache: [subresource integrity]https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) does that for scripts. – Dan Dascalescu Aug 24 '20 at 04:05
3

Verifying a checksum saves you the frustrations of potentially allowing a file that has been comprised maliciously to infiltrate your system or network, from a security standpoint the hash allows for a verification to occur that allows to ensure what you have downloaded has not been compromised or incomplete during the download to your system.

In all reality its not needed when they are on the same site, there is no real security bonus. It is only of a security value when trying to verify that a file from another source is the same file (though even that may be dubious thanks to success of collision attacks against a lot of typical error detection hashes.)

In most cases it is provided to make sure your download was successful.

Cameron Does Things
  • 582
  • 3
  • 10
3

You could potentially get a corrupt file, or incomplete download. It is very unlikely, but I guess it is remotely possible, that a incomplete download could damage a system in some way.

One case that I imagine this might apply would be the case of downloading a firmware update for a motherboard or something that doesn't perform validation of the firmware image before applying it. Not checking would possibly mean you brick your device with invalid firmware. It seems very unlikely this would have any implications from a security standpoint though.

Zoredache
  • 633
  • 1
  • 6
  • 14
  • TCP [should](https://superuser.com/questions/748915/getting-corrupted-data-from-the-internet-shouldnt-tcp-checksums-prevent-this) prevent against corruption. – Dan Dascalescu Aug 24 '20 at 04:07