A Study on the Use of Checksums for Integrity Verification of Web Downloads

Détails

Ressource 1Télécharger: Meylan2020TOPS.pdf (6342.10 [Ko])
Etat: Public
Version: Author's accepted manuscript
Licence: Non spécifiée
ID Serval
serval:BIB_970B9AA5408B
Type
Article: article d'un périodique ou d'un magazine.
Collection
Publications
Institution
Titre
A Study on the Use of Checksums for Integrity Verification of Web Downloads
Périodique
ACM Transactions on Privacy and Security
Auteur⸱e⸱s
Meylan Alexandre, Cherubini Mauro, Chapuis Bertil, Humbert Mathias, Bilogrevic Igor, Huguenin Kévin
ISSN
2471-2566
Statut éditorial
Publié
Date de publication
09/2020
Peer-reviewed
Oui
Volume
4
Numéro
1
Pages
4:1-4:36
Langue
anglais
Résumé
App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file’s integrity verification code – the checksum – matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such process is effective. Even worse, very few usability studies about it exist.
In this paper, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution – a Chrome extension that verifies checksums automatically – significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers and content creators to increase the use of file integrity verification on their properties.
Open Access
Oui
Financement(s)
La Fondation Hasler / 19024
Création de la notice
09/07/2020 9:59
Dernière modification de la notice
03/02/2021 7:24
Données d'usage