The use of mirror sites, CDN’s, and other third-party providers to host downloadable files offers enormous benefits. By offloading the hosting of these static files to third-party providers, sites are able to realize significant increases in performance, availability, and scalability. However, this also introduces another attack vector. If a downloadable file is compromised while hosted by the third-party provider (for example, by a rogue system administrator of a third-party server, or by a hacker that is able to gain access to the third-party server), then these files can easily become vectors for malware, ransomware, and other cyber attacks.
This is not just a hypothetical scenario. In 2012, a SourceForge mirror site was compromised. Attackers inserted a backdoor into a widely used database administration tool hosted on the compromised mirror. In 2013, MaxCDN's servers were compromised by attackers using the credentials of a recently laid-off engineer. This laid the groundwork for an attack on thousands of web sites utilizing a widely-used web development framework. A recent report by Threatpost cites trojanized files as one of the most common attack vectors for ransomware and malware, and the 2020 Solar Winds attack reminds us of just how destructive compromised files that go undetected can be.
As a way of mitigating this threat, sites often post checksum hashes near the download link for a file hosted by a third-party provider. For example, see this page at Dell's web site, where Dell users can download a BIOS update for a Dell laptop computer. Notice on this page that the expected checksum hashes for the downloadable file are posted, just below where it reads, 'To ensure the integrity of your download, please verify the checksum value'. The expectation is that after downloading the file to their system, the user will take the checksum of the file, and verify that the actual checksum of the file matches the expected checksum as published on the site. If not, then this is an indication that the file may have been compromised or tampered with.
However, this procedure almost always goes unused, as reported in a 2018 paper by Mauro Cherubini et al. Most non-technical users are simply unfamiliar with the verification procedure and how to apply it. And, even technical users often neglect to perform the procedure out of complacency. Yet, failure to apply this procedure can have disastrous consequences if the file has been compromised. Computer science researcher Adrian Colyer wrote about this subject in 2018. Colyer's article highlights Cherubini’s findings, and goes on to underscore the need for an automated solution to this problem. Cherubini and Colyer note that standards such as HTTPS, SSL/TLS, and subresource integrity are not solutions to this problem, and propose a browser extension as a solution.
US patent #10,505,736 teaches a solution for solving this problem. The solution disclosed in the '736 patent is an automated solution for verifying the integrity of files downloaded from the web that runs transparently to the user, without user intervention, and without the need for the user to install a browser extension.
Below is a second demo, simulating a case where the file may have been tampered with, as the actual checksum of the file does not match the expected checksum. After clicking the button below, the user sees that the integrity verification fails, and the file is not made available to the user to open or save to their system.